Skip to main content


What makes a good RegTech partner: fit and scalability

By Blog

Finding the right RegTech partner can be difficult. So we sat down with an industry expert to get his take on how he evaluates vendors.

As an expert in regulatory change management, Vincent Schultinge has seen the evolution and impact of regulation on financial firms firsthand. So, naturally, he has also been drawn to the niche industry that emerged to try to solve these RCM challenges—RegTech. 

Now, in his current role as a senior RegTech consultant at ING, he is responsible for defining, developing and implementing RegTech innovation throughout the ING organization. During his sit-down with Ascent, Vincent shares:

  • His perspective on what makes a good RegTech partner
  • What methodology ING follows when looking to implement a RegTech partner
  • How making machine readable regulation will open doors for the future of RegTech

Editor’s note: This interview has been lightly edited for clarity.

Using RegTech Maturity as an Evaluation Benchmark

To Vincent, managing regulation is a task that’s too fluid and too risky to put into the hands of new-to-the-market solutions. Here’s how he considers the maturity of RegTech.

When assessing a RegTech provider, you want to make sure it fits your business’s demands. I have a firm belief that we should strive for market standard solutions. Therefore I look to see whether a RegTech has the potential to become a market standard for their solution or offering. Once we have measurable results from a Proof of Concept (PoC), then we can decide if a RegTech is suitable for our purpose or not.

The way we assess RegTechs differs from the way we look at other vendors. Due to constant regulatory oversight as a bank, we have less freedom to experiment. For many business cases we will look for parties that are more mature and that have, for example, delivered the equivalent product to our peers or are engaging in sandboxes with regulators.


Being Able to Audit RegTech’s Black Box

Vincent believes that “auditability” is a key factor that firms should also consider when determining whether or not to work with a RegTech provider.

Providers should always be able to explain and demonstrate how their machine learning works. For risk and compliance teams, auditability of machine learning is absolutely key. If you can’t audit a technology solution properly, especially a machine learning solution, it becomes Pandora’s box. Not to mention that regulators won’t accept anything less than full transparency.


Aligning Around a RegTech Provider

At ING, Vincent’s team relies on what they call “PACE” methodology when considering what RegTech solution to implement.

Whatever methodology you are using to implement RegTech, you have to be consistent, thorough, and constantly verify that you are doing the right thing. 

At ING, we use our in-house PACE methodology for the delivery of innovation. This applies to our delivery of RegTech as well. With PACE, we combine Design Thinking, Lean Startup and Agile Scrum into a single process. PACE consists of five stages being: discover, problem fit, solution fit, market fit and scaling. 

For us this works really well and we gained a lot of traction with this in the organization. On top of PACE methodology at the whole of ING we practice an agile way of working. This helps accelerate the way we set up PoCs as well as other partnerships. 


Unlocking the Value of RegTech

For RegTech to truly be effective, Vincent has learned that it’s important to first have a culture of innovation prior to implementing a solution.

It is essential that you have business owners with the right mandate and budget who are convinced by the usage of technology. Business and innovation teams have to be able to establish the demand and create strong use cases for the application of RegTech. Teams should collaborate in such a way that the business demand and the premise of the solutions are a true match. This will help with validating and demonstrating the benefit of using certain RegTech solutions along the way. Regardless of the size of the firm, you need the right innovative culture and the right appetite from business owners; otherwise, it just won’t work.


Using RegTech to Manage Pandemic Woes

According to Vincent, the pandemic has only amplified the need for RegTech.

Regulatory changes keep coming, especially considering that people are working remote and are having to align virtually due to the pandemic. Regulators demand that banks remain in control. So, firms need to be able to monitor upcoming changes in the regulatory landscape by scanning the regulatory horizon as well as assessing obligations and potential risks. This is where having proper tooling in place for horizon scanning and risk assessment will definitely help firms to maintain control in these difficult times.


Pioneering the Next Frontier of RegTech

What’s next for RegTech? Vincent believes that making regulation machine readable will open incredible opportunities for financial firms to unlock the true potential of RegTech.

In order for RegTech to play an even bigger role in the industry, we first need to look into a few things— machine readable regulations, data and format standardization, and global harmonization of regulations. If regulations, updates and guidelines become machine readable and ingestible globally, it will become easier for firms to demonstrate compliance and adhere to rules and guidelines more efficiently. It will open a whole range of possibilities for the adoption of RegTech within financial institutions.

The same applies to data and format standardization. If we can agree on common data and format standards, adherence to regulations becomes more efficient. With the financial system being a truly global system nowadays, it allows institutions to act across jurisdictions in a safer and more compliant manner. Together, with harmonizing regulations globally, this could translate into a much broader usage of RegTech within the financial system. This end goal is something that I believe will contribute to the overall safety and stability within the financial industry.

ING is a global bank that aims to empower people to stay a step ahead in life and in business. Visit ING’s website. 

For more content like this, subscribe to our email updates.


Brexit Impact: A Look at the Next Normal

By Blog

Back in 2016 when the concept of the United Kingdom’s exit from the European Union (“EU”) seemed like a fantastical proposition, the prospect of the referendum’s success let alone its implications seemed like a mystery. The question for financial institutions now becomes how to implement and maintain a newly-domesticated compliance framework in the face of regulatory uncertainty. 

The Story on Domestic Data

The larger focus for financial services will be on sustainability of domestic and international compliance frameworks for areas such as data, sanctions, and overall governance. 

The UK has implemented a host of regulatory expectations in the past few years, from MiFID to the Senior Managers’ Regime. While those regulations will continue, financial services must continue to enmesh international laws with touch and concern to the UK in their programs.

Despite the UK’s exit from the EU, the parameters of the General Data Protection Regulation (“GDPR”) will continue to be enforceable. In fact, GDPR has been a primary area of international enforcement, with two UK-centric breaches in 2020 totaling in USD $56 million in penalties alone. 

CASE STUDY: How a Global Top 50 Bank Pinpointed Its GDPR Obligations Using Ascent


Similarly, despite infrequent enforcement actions for sanctions violations from the UK in the past few years (OFSI issued its first ever sanctions penalty in 2020 since its establishment four years prior), the UK Sanctions and Anti-Money Laundering Act of 2018 will continue to pose challenges for UK banks wishing to keep a foot in the international space.

In late December, the Financial Conduct Authority (“FCA”) issued the final Temporary Transitional Power (TTP) directions. Firms should be well-versed in the TTP directions, as they outline which regulations are expected to be maintained throughout the transaction and which have exemptions until the end of the transition period in March 2022. While these provisions apply to existing entities, the FCA was careful to note that the TTP does not apply to new European Economic Area entities seeking to onshore. 

Business as Usual for AML

As part of the EU, the UK would have historically been adhering to the framework of the EU’s Anti-Money Laundering Directives (“AMLD”). This would have been leveraged to set the framework for an anti-money laundering compliance program, from the “pillars” approach derived from the Financial Action Task Force (FATF) standards, to threshold for transaction monitoring. 

From a practitioner’s perspective, the EU AMLD set basic criteria that were then enhanced or supplemented, as needed, at the country level. In the absence of those directives, the UK will now rely entirely on the Proceeds of Crime Act (“POCA”) and its interpretation by regulators to determine firms’ adherence to AML standards. The FCA has not had a particularly robust enforcement year in terms of AML enforcement, with only two notable penalties issued for compliance-related failures. In fact, the absence of such enforcement actions has been cited in the press as a relative laxity by the regulator. 

Perhaps due to Brexit or exacerbated by it, the FCA has not made clear that AML compliance will be a priority over conduct-related enforcement in the coming year. Given the EU’s spate of Baltic-related fines and penalties, the first AML fine of 2021 may in fact be related to the same.  

The Way Forward

There is, as was expected when Brexit was first announced, a bit of trailblazing to be expected in the next few years. The shifting regulatory expectations around conduct over AML and sanctions enforcements is suggestive, but not dispositive. While the FCA has recently provided a rulebook with post-Brexit expectations, unlike their peers in the US, wavers have been embedded with those expectations, some as far out as 2022.  Perhaps drawing from their peers (subsidiaries and affiliates too) in the US, UK-based banks will need to leverage a far more conservative risk-based approach until the updated regulatory expectations become more certain.  

In the meantime, new technology such as regulatory knowledge automation can help financial firms keep tabs on enforcements, updates, and rule changes as they are issued. Today, many firms continue to try to manage and synthesize this influx of information in the same ways that it always has — by increasing personnel to do the work manually. 

INFOGRAPHIC: Regulatory Knowledge Automation, Explained


But missing even the finest detail within a body of regulation or rule amendment can be disastrous for a firm. Like the proverbial needle in the haystack, any obligation missed among the thousands of lines of regulatory information could have severe consequences come audit time. 

Regulatory knowledge automation uses machine learning (ML) and natural language processing (NLP) to complete this work in mere minutes, at a fraction of the cost, and with greater accuracy than manual efforts.

READ MORE: How to set a foundation for your regulatory compliance framework


For more information about RegTech, regulatory knowledge automation, and articles like these,  subscribe to our monthly Cliff Notes newsletter.



SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard

By Blog

Despite the pandemic, Reuters reports that the U.S. Securities and Exchange Commission (SEC) has had a banner year, with more than 700 cases and enforcement actions. As of November, that number represented over USD $4.7 billion in penalties, fines, and disgorgements assessed. The ratio of fines to penalties is a bit askew, considering that one fine alone represented a USD $1.2 billion settlement.

Still, the agency has been particularly busy with disclosure and regulatory-related penalties, in contrast to a mere seven enforcement actions by the Financial Crimes Enforcement Network (FinCEN). Of course there is an issue of the remit of the respective agencies that would need to be taken into consideration, but one priority of the SEC has seemed to remain squarely in the initial coin offering (ICO) / cryptocurrency-related space. Here’s a look back at SEC cryptocurrency regulation from this year and what’s to come from SEC leadership in 2021.

ICOs Strictly Subjected to Howey Test

The SEC announces its enforcement priorities annually, and 2020 was no different, if only in that respect.  At the start of the year, the Office of Compliance Inspections and Examination (OCIE) released its 2020 Examination Priorities, and in it the agency noted that “digital assets” would be a priority. Many of the enforcement actions that occurred throughout the year were related to either ICOs, either as fraudulent schemes or due to poor regulatory disclosures.

The SEC has treated ICOs fairly strictly over the past few years, perhaps punctuated by the Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (the “DAO”), released in mid-2017. This report galvanized the agency’s approach to tokenization and ICOs, noting that strict adherence to the Howey test (i.e., an investment of money and expectation of profit as the result of a common enterprise, with the profits coming from the efforts of a third party) would apply to ICOs.

To that end, ICOs who tested the SEC’s resolve found that the failure to register or seek an exemption to the Howey criteria would result in multi-million dollar penalties.  In one enforcement action in particular, the SEC noted that the ICO in question—though it knew or had reason to know that it was a security based on the DAO report and prongs of the Howey Test—continued to sell its offering without making appropriate disclosures to its investors.  

READ MORE: The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More


Changing of the SEC Guard

The current chairman of the SEC, Jay Clayton, has publicly stated that he intends to step down from the position, leaving the incoming administration to make a nomination. Clayton’s tenure was remarkable, and has seen lauding from both sides of the aisle.  The two current names being floated to replace him are Gary Gensler, former chairman of the Commodities Futures Trading Commission (CFTC), and former prosecutor Preet Bharara. Already named to President Elect Biden’s transition team, Gensler has no shortage of experience dealing with both regulators and the private sector.

During his time at the CFTC, Gensler pushed for sweeping regulation of swap trades and has been viewed as someone who—as a former partner at Goldman Sachs—could potentially deliver diplomatic regulatory outcomes. Bharara, on the other hand, poses a far more significant shift in regulatory tone. Bharara is known, and well-respected, for his work on major insider trading and white collar cases.

Despite the significant number of actions under Clayton’s tenure (over 3,000 examinations in 2020 alone), Bharara’s appointment would signal a no-nonsense approach to both civil and regulatory engagements.

Preparing for What (and Who) is Next

Other names circulated are Dodd-Frank contributor Michael Barr, as well as Allison Lee (a former securities law practitioner and currently an SEC commissioner) and Kara Stein (a former SEC commissioner) who would both bring senior-level, hands-on experience to the position. There are innumerable variables still at play after the outcome of the November 2020 election. Needless to say, the SEC and other high-profile regulatory positions will keep Wall Street waiting with baited breath, and those of us in the bleachers a lot to consider. 

READ MORE: What are “granular” obligations in RegTech, and how do they reduce your risk?


No matter who takes the helm at the SEC (and at other U.S. regulators), it’s important for financial institutions to keep tabs on regulation at both the national and state level. It’s within these agencies that incremental changes occur and often catch organizations off guard. Be sure that your firm is ready for what’s next. Shore up your compliance and risk strategy by identifying all of your key risk factors, including any potential gaps in your firm’s regulatory obligations / requirements.

READ MORE: Regulatory Change Management: A Tech-Based Approach


Ascent helps banks and other financial firms stay above the rising tide of regulation, from the SEC and other regulators. Learn more about our regulatory coverage here.

The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More

By Blog

There has been no shortage of media chatter in the very unusual 2020 calendar year.  For those concerned with organizational compliance, the release and re-release of regulatory guidance and legislation — particularly around BSA/AML and corporate compliance programs — has been nearly unparalleled.  As we will show, these developments have significant implications, if not direct calls to action, for banks.   

The BSA/AML Manual Hits Hard

At the risk of hyperbole, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”) is perhaps the most sacrosanct of all regulatory frameworks. Intended to serve as a field guide for examiners, instead its outlines and parameters are utilized by banks’ BSA/AML compliance departments as the foundation for their compliance programs and by auditors as a basis for testing protocols. Updated in April, the Manual was not radically updated but the updates that were made were significant.  First and foremost, the Manual makes reference to “other illicit activity” as a nod to the nebulous nexuses between crimes like healthcare fraud, corruption, and money laundering.  The Manual further updates provisions in regards to risk assessments (while not flat out requiring them) and board-level oversight, broadly, requiring that banks ensure that their compliance programs are tailored to their unique risk profiles.  

Perhaps the most significant updates include expansions to the expectations around training.  Where only a paragraph existed previously, the updated Manual expands its expectations to have role-based technical and subject-matter training, along with much more precise guidance on the expectations for board of directors training.

READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?


A Major Emphasis on Corporate Compliance Programs

As many compliance practitioners were settling into remote working, the U.S. Department of Justice (USDOJ) re-issued its Evaluation of Corporate Compliance Programs (the “Guidance”).  In examining whether to consider and the depth of criminal penalties, prosecutors too (harkening back to the Manual) should look at whether the organization at issue maintains and leverages a risk assessment to inform decisions about compliance and mitigate the risk of misconduct.  The Guidance goes on to note that perhaps one of the most important factors is, based on the risk assessment, how were allocations for staffing, technology, and resources such as training allocated.  Were cost centers given hiring priority over compliance staff?  Is the annual compliance training program a leaflet?  Are the sales staff on top-of-the-line computers while the compliance and audit teams are using ineffective tech? 

All seem like fair questions. 

The Guidance directly states that compliance should be built into the compensation scheme, and that it should be a considerable factor in the allocation of (or withholding of) bonuses.  Lastly, the Guidance reiterates the need for ongoing monitoring, testing, and escalation of the state of misconduct-related controls and their investigations.  

READ MORE: How an Integrated Risk Management (IRM) approach can transform your organization


On the AML Horizon

There are two fairly significant developments  pending approval, and we cannot emphasize “pending” enough – a shell company transparency provision and the Anti-Money Laundering Act of 2020.  They are both embedded within a defense spending bill that the White House has threatened to veto for unrelated reasons. The shell company provision would mandate the registration of beneficial owners with the Treasury department, effectively ending anonymous shell company use within the U.S.  

Secondarily, if passed, the Anti-Money Laundering Act of 2020 would mandate that the Secretary of the Treasury take steps to “streamline” BSA/AML compliance requirements.  In its September Advance Notice of Proposed Rulemaking (“ANPRM”), FinCEN sought input from the banking community on how to make more “effective” use of BSA/AML systems and processed, skewing more in favor of law enforcement’s needs than compliance.  The proposed AML Act seems to end-run the feedback solicited by the ANPRM, and place the obligation with the Treasury to ease, reduce, or otherwise better facilitate the production and utilization of BSA/AML-related information.  

While the approval of the AML Act and its governing bill are in a tentative state, the ongoing developments in this space speak to big changes for the BSA/AML compliance space going forward.  

Keeping Pace with Change: A Tech-Based Approach

While these regulatory developments are broad reaching, their impact is different at each financial institution. This leaves Compliance teams with the tall order of reading through and analyzing the regulatory text to determine which parts of the Manual or the Guidance applies to their organizations — which can be like looking for a needle in a haystack.

According to an Ascent internal analysis, 65 percent of the regulatory text (the haystack) is made up of definitions and clarifications. The remaining 35 percent, which actually consists of obligations, is what compliance teams need to be reviewing in order to determine what regulatory requirements and obligations specifically apply to their firm (the needle).

READ MORE: Regulatory Change Management: A Tech-Based Approach

Ascent can help banks and other financial firms stay above the rising tide of regulatory change. Read this article to learn how our RegTech platform can help your firm quickly produce “granular obligations” and keep them current as new regulatory developments arise.

If you’d like to contact a team member directly, you can do so here

To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.


A former regulator’s take on AI, Big Tech, and RCM

A former regulator’s take on AI, Big Tech, and RCM

By Blog

Rick Bonhof. Managing Consultant, SynechronWe recently sat down with Rick Bonhof, a managing consultant who leads the Amsterdam regulatory change and compliance practice within the business consulting arm of Synechron—a leading digital transformation consulting firm that accelerates digital initiatives for banks, asset managers, and insurance companies around the world.

In his role, Bonhof oversees a team of experts who help clients build the regulatory framework that enables compliance. As an advisor for the digital-first firm, Bonhof is hyperfocused on making compliance more efficient through the use of technology, leveraging emerging tech such as machine learning and existing systems such as GRCs.

Prior to Synechron, Bonhof served as a supervision officer for Dutch regulator Autoriteit Financiële Markten (AFM) at the height of the 2008 financial crisis. After spending seven years crafting and executing supervisory strategy for AFM, he decided to redirect his work from supervising firms to actually helping them become compliant with regulation. And so, after witnessing how Synechron helped a number of financial institutions get back on track with EMIR (the EU equivalent of Dodd Frank in the US), Bonhof transitioned to the firm.

During our sit-down, Bonhof shared his blended supervisory-consultative perspective on a variety of topics—from the role of regulatory change management during the COVID-19 pandemic to how Big Tech will shape the future of financial services.

Editor’s note: This interview has been lightly edited for clarity.

Setting the Record Straight on Regulators

Touching on his experience as a former regulator, Bonhof kicked off our conversation by sharing what he wished compliance professionals knew about regulators, and what he wished he had known as a regulator. 

When I made the switch from regulator to consultant, I realized that a lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you. What I think compliance professionals sometimes forget is that if you’re able to explain to regulators why you made certain decisions and how you implemented certain requirements, they’ll listen to you.

“A lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you.”

My advice to compliance professionals is to document their interpretation of the rule and why they applied the rule in a certain way according to their interpretation, so they have all of the information they need when it comes time to talk to regulators.

On the flip side, what I wish I had known as a regulator was, no matter how simple a request for information may seem on paper, it doesn’t actually mean that there’s a clearcut way to gather requested information or to implement a new rule. Many financial institutions do not start out as multinational global-spending institutions—they grow through mergers, acquisitions, and restructuring.

So there’s a whole collection of teams that suddenly need to contribute to this “one simple request,” making it not so simple after all.

Managing Regulatory Change in the Time of COVID 

Bonhof has long emphasized the importance of having a well-documented regulatory change management (RCM) strategy, especially when it comes to major events such as financial crises, election years and of course — the COVID-19 pandemic.

When it comes to regulatory change management, my mantra has been “take control, be in control, and demonstrate control.” 

“Take control” is about understanding what your obligations are, understanding the impact of them, and then implementing and enforcing a compliant process.

“Be in control” is about understanding where your firm is in terms of compliance with the requirements, and revisiting both its requirements and compliance processes frequently. You should not only be control testing your processes to understand whether your firm is compliant with existing rules, but also monitoring whether there’s a change coming that could impact compliance with those rules. And, if there is a change on the horizon, then you need to go back to “take control” and proactively act on it.

Lastly, “demonstrate control” is about being able to take the evidence that you have and explain both internally and externally to what extent you comply with those measures.

How to Avoid Dropping the Ball on RCM

In Bonhof’s view, the biggest mistake that firms can make when implementing RCM best practices, is to treat them as a one-time solution. 

Most regulatory change management processes are driven by a regulatory change implementation date. Let’s say that a firm has to comply with X, Y, and Z by January 1, 2021. What I’ve found (and even been guilty of myself) is that many firms focus solely on making that milestone without the end result in mind. So once the firm does reach it, everyone sort of drops the ball and says, “We’re done, we made it.” But that’s the wrong approach because 2021 does not mark the end of implementing that change, it actually marks the start of it. 

What I’ve found (and even been guilty of myself) is that many firms focus solely on making [a] milestone without the end result in mind.

Firms are expected to be compliant with that new rule, and need to have a roadmap that accounts for what comes after that date. Firms often put makeshift technical solutions in place to meet the deadline, but then what happens is the technical solution silently becomes the structural solution. The result is that there’s no roadmap beyond that point to account for new data that needs to be tracked or changed, resulting in an issue of data quality and therefore explainability. 

COVID Response: Swings of the Regulatory Pendulum

To Bonhof, regulatory change management has never been more important as the pandemic response continues to fold. While he and his team have seen the easing of certain regulatory requirements, they have also seen the mounting impact of others.

On the one hand, the regulatory response to the pandemic has been to suspend certain requirements in order to alleviate the burden of regulation. However, at the same time, we’ve also seen an increase in requests for financial firms to implement certain risk measures from regulators such as the European Securities and Markets Authority

For example, we had an “intelligent lockdown” in the Netherlands that prohibited us from going to the shops or the cinema. As a result, this (like other lockdowns across the globe) had a large impact on service providers, as many businesses had outstanding loans with financial institutions and were suddenly not able to make good on those loans. This has led to a tipping of scales with regulators adding more capital reporting requirements, while continuing to suspend or delay implementation of other regulatory requirements. For example, ESMA deferred the final two phases of its bilateral margin requirements to provide additional operational capacity for counterparties to respond to the immediate impact of COVID-19. 

On the Importance of Innovation in IRM

While regulators have been more forgiving during the pandemic, they have also become increasingly more aware of all of the possible gap—bringing the topic of Integrated Risk Management (IRM) to the fore. Here’s Bonhof’s take on IRM.

Integrated Risk Management allows you to identify what risks exist within your firm, define a response to those risks, and then determine whether your firm is within that risk appetite. Ultimately, IRM combines all of those processes and rolls them up into a multi-level process chart where you can prioritize risks and pinpoint which ones are of the highest risk to your firm. 

IRM is such a hot concept right now because regulators are putting more emphasis on it.

As part of Synechron’s FinLabs RegTech accelerator suite, I’ve actually had the opportunity to work on automating parts of IRM. Knowing how effective your controls are is a key part of integrated risk management, so we built an intelligent control testing environment that maps a firm’s individual control statements into a decision tree that automatically runs against a data set to help firms quickly pinpoint whether a control is effective or not. This advancement frees up compliance teams’ valuable resources so they can focus on remediating any deficiencies.

These types of innovation are becoming more important as Integrated Risk Management continues to gain more traction. IRM is such a hot concept right now because regulators are putting more emphasis on it. For example, ESMA recently published a consultation paper that assessed the suitability of the management at financial institutions, which concluded that the highest levels of management (including at the board level) need to understand their firms’ requirements, how they are complying with them, and what the state of the firm’s risk management looks like.  

Clash of the Titans: Big Banking vs. Big Tech

As an innovator in his own right, Bonhof is naturally drawn to industry disruptors. In particular, he has been following the rise of digital banks and believes that it’s only a matter of time until Big Tech enters into the banking industry as well.

The rise in digital banks has served as a catalyst for digital transformation in the industry at large. In order to stay competitive with digital banks, traditional banks have worked to provide digital services to their customers. For customers, having a digital bank account becomes more of a commodity because it opens up a whole ecosystem of additional services around it. 

For digital banks, their competitive advantage is that they’re not burdened by a chain linked system of legacy tools or processes, so they can get it right immediately. Digital banks can be more nimble when it comes to things like digital client onboarding processes and company reporting. On the other hand, it’s difficult for digital banks to achieve the same scale as larger banks. Plus, they’re bound to face the same kind of regulatory requirements as incumbent banks and will need to comply with them, lessening some of their initial competitive edge.

When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

What I’m really curious about is when Big Tech will officially enter into the banking space. Today, we have Apple Pay and Google Pay, but I think that it’s just a matter of time before they’re adding banking services to their offering. At that point the market will change. Digital banks just mark the beginning of the banking industry’s digital transformation. When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

Financial Firms and Regulators to Step Up Their AI Game

With the high likelihood of Big Tech companies entering the market in addition to other innovations in financial services, Bonhof is encouraging the industry to direct its focus toward emerging technologies such as Artificial Intelligence (AI) now, before it’s too late.

I think regulators really need to step up their digital game. They need to understand the tech component that goes into digital banking. AFM just compiled an insightful trend report where they spoke around their fears about Big Tech entering into the financial market. Today, Big Tech is predominantly supervised by privacy watchdogs. But, if Big Tech entered the financial market tomorrow, financial market regulators would not always be allowed to share information with those supervisory agencies, so that would make supervision really difficult. 

Regulators are just now issuing responses around the use of AI, which center around the concepts of explainability and trustworthiness. Together, they are two sides of the same coin because they help explain the decisions that come out of algorithms and apply fair principles that limit their biases. However, I still think that we have a ways to go and that regulation around the use of AI will only continue to increase in the future as the digital market matures.

The Role of AI in Regulatory Compliance

According to Bonhof, the role of AI is not just limited to the mechanics of digital banking. It applies to regulatory compliance too.

We recognize that regulators are starting to provide guidelines around AI, so we are changing the way that we advise our clients about AI. AI was once the new and exciting thing to talk about. Now it’s the means to an end. We’re looking at where AI models can help firms improve explainability in their compliance processes. 

AI was once the new and exciting thing to talk about. Now it’s the means to an end.

Using robotics (or AI) helps automate certain regulatory compliance processes such as horizon scanning, and makes the outcomes of those processes more predictable and reliable. AI allows teams to focus less time doing the monotonous work of running these processes and more time on investigating outliers. Instead, the “robot” leads the processes and identifies areas where there are inconsistencies that require the review of compliance experts.

On Implementing RegTech: Final Advice

So, what’s Bonhof’s advice to firms that are looking to implement new technologies in their compliance programs? “Be really clear about what you want to achieve in your compliance program and therefore what you want the technology to achieve.”

First, you need to understand where you are and where you want to go. For instance, if your firm was just fined by a regulator, then you’ll likely need to find a solution that can help you become more compliant. On the other hand, if your organization is in a good place but needs to become more efficient, then it’s likely you’ll need a different tech stack than the firm that was recently fined. When you understand what you want to achieve by adding technology, then you can better pinpoint the right type of technology solution for your compliance program.


If you’d like to learn more about Synechron, visit their website. To learn more about Rick Bonhof, connect with him on LinkedIn

If you’d like to contact an Ascent team member, you can do so here. Stay tuned for our next interview from the lines of defense. All interviews will be featured in our monthly Cliff Notes newsletter, which you can subscribe to below.

Subscribe to Cliff Notes

Webinar screenshot

[Webinar] Effectively Managing Your Regulatory Obligations Register

By Blog

Struggling to understand what your organization needs to comply with? Wasting too much time and resources scraping through regulations and building your obligation register? You’re not alone.

In this webinar, experts from LogicGate and Ascent we walk you through regulatory compliance insights and best practices to save you time and resources.

Learning Objectives

» What is the difference between a “top down” vs. “bottom up” approach to regulatory compliance?

» How do you evidence compliance, especially during a pandemic when the labor force is spread out?

» Boards are scrutinizing compliance more closely; how do you balance in-house staff, outsourcing, and technology?

» Learn how to set up a repeatable process around your compliance program to manage change & downstream impact.


  • Brian Clark, Founder and President, Ascent
  • Marc Van de Ven, Sr. Solutions Engineer, LogicGate
  • Moderated by Megan Brown, Head of Strategic Alliances, LogicGate

This webinar is hosted by OCEG (Open Compliance and Ethics Group)


About the Ascent / LogicGate Platform Integration

LogicGate Risk Cloud™ is a cloud-based platform with a suite of risk management applications that transforms the way businesses manage their governance, risk and compliance processes. Now with a powerful new integration, you can fuel your compliance program housed in LogicGate Risk Cloud™ with targeted regulatory data from Ascent. Seamlessly map your regulatory obligations and citations to your controls and P&Ps, trigger change alerts, and more. Learn more about Ascent’s API integrations here


For monthly insights on compliance and technology, subscribe to our monthly newsletter Cliff Notes below.


Ascent Named to the Prestigious RegTech 100 List for the Third Consecutive Year

By Blog, Featured

Ascent has been named to the prestigious RegTech 100 list for the third year running. The RegTech 100 list is comprised of the world’s most innovative technology firms helping financial services firms address the challenges of regulatory compliance.

Press Release | Chicago, IL | December 2, 2020 Ascent, an AI-driven solution that helps customers identify the regulatory obligations and rule updates that apply to them, is today celebrating the news that the firm has been named to the prestigious RegTech 100 list for the third year running. Overseen by specialist research firm RegTech Analyst, the RegTech 100 recognizes the world’s most innovative technology providers that are solving a significant industry problem, or to generate efficiency improvements across the compliance function. 

READ MORE:  Rapid Review: What is RegTech?


Ascent’s groundbreaking RegulationAI™ rapidly and accurately identifies a financial firm’s regulatory obligations, then keeps them updated as rules change. This targeted regulatory knowledge can be accessed and managed through Ascents cloud-based platform, or fed into a separate GRC (governance, risk and compliance) via API. 

By automating a process that would typically take compliance personnel significant time to complete manually, Ascent helps maximize efficiencies, reduce error, and ensure that firms know exactly what needs to be done in order to avoid fines and mitigate risk. 

“Ascent was founded to give businesses greater confidence in their compliance and risk operations. The turmoil of 2020 has highlighted for us the importance of that mission.” —Brian Clark, President and Founder, Ascent

“We are honored to once again be named in the RegTech 100,” said Brian Clark, Ascent President and Founder. “Ascent was founded to give businesses greater confidence in their compliance and risk operations. The turmoil of 2020 has highlighted for us the importance of that mission. The age-old problem of regulatory compliance – ‘you don’t know what you don’t know’ – is what Ascent was built to solve, and by doing so, we aim to help our customers achieve certainty in an uncertain world.”

“The RegTech100 list helps senior management filter through all the vendors in the market by highlighting the leading companies in [each] sector.” —Mariyan Dimitrov, Director of Research, RegTech Analyst

RegTech Analyst director of research Mariyan Dimitrov said, “Banks and other financial institutions need to be aware of the latest RegTech innovation in the market in order to avoid new compliance risks and stay competitive despite new regulations around customer onboarding and remote communication post Covid-19. The RegTech100 list helps senior management filter through all the vendors in the market by highlighting the leading companies in [each] sector.”

Ascent has been rapidly gaining momentum since its founding in 2015. Since its inception, Ascent has secured $26.7M in funding and doubled its staff. Ascent serves a range of financial institutions, including global financial firms and SMBs in the banking, securities, and derivatives industries.   

Ascent's RegTech 100 Badge


To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.



Regulatory Change Management: A Tech-Based Approach

By Blog

What is Regulatory Change Management?

Regulatory change management (RCM) is a multi-step process that ensures your organization stays compliant with any new changes in regulation. At a high level, RCM involves the intake of regulatory changes (rule amendments or additions), determining the impact of those changes to the organization’s existing obligations, updating the necessary controls, policies and procedures, and then working with the lines of business to ensure those changes are socialized and implemented.

Flow chart of traditional regulatory change management process (manual)

Firms Struggle with Regulatory Change

For regulated businesses, keeping up with the torrent of regulatory change is a constant struggle. In an environment where rule updates have increased by 500 percent in the last decade, Risk and Compliance workers face a confluence of challenges:

  • Compliance personnel must determine the impact of rule amendments or additions to their existing obligations, a process that repeats with every change in regulation.
  • Relevant changes must be reconciled with a firm’s controls, policies and procedures. Manual documentation and siloed pockets of knowledge throughout the organization leave the business vulnerable to human error.
  • The economic turmoil spurred by COVID-19 has seen many companies reigning in their budgets. As a result, those tasked with regulatory change management are now being asked to do more with fewer resources.

There are some 300 million pages of regulatory documents published globally, full of dense language and crucial but often subtle implications. Teasing out relevant regulatory obligations from these texts and mapping them to your organization has historically required countless hours of manual work. 

READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?


As compliance operations move increasingly into the digital era, it is clear that regulatory change management is particularly ripe for automation. 


Regulatory Change Management in the Age of Digitalization

Technological innovation has allowed financial firms to significantly improve their compliance processes. Here are some of the ways RegTech tools are helping financial institutions better manage regulatory change:

» By collecting regulatory content in one place, making it easier to monitor the regulatory landscape and reducing reliance on email/mailing lists.

» By surfacing regulatory changes that apply to a specific firm, narrowing the universe to applicable insights only.

»By helping compliance personnel organize and triage regulatory changes by mapping them to the firm’s business taxonomy.

» By helping compliance personnel map regulatory changes to the firm’s policies and controls, streamlining the process of assessing impact.

» By providing continuous insights, updating a firm’s obligations register in real time and flagging instances where operations no longer match requirements. 

Modern approaches to compliance risk are becoming increasingly necessary as regulation continues to grow and evolve. By investing in regulatory change management tools, financial firms are able to increase their compliance team’s efficiency and effectiveness while proactively protecting the business from regulatory and reputational risk. 

READ MORE: Solution Highlight: How Ascent Automates Regulatory Change Management


To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.



How an Integrated Risk Management (IRM) approach can transform your organization

By Blog

Today there are more risk drivers that span across more areas of business, making it harder to monitor, manage, and mitigate risk than ever before. Yet much of the financial services industry is continuing to approach risk in the same way it always has—through two distinct silos of compliance and risk. However, the onset of the COVID-19 pandemic has exposed the cracks in these traditional approaches, and raised the need for a more comprehensive approach called Integrated Risk Management (IRM).

“The response to the coronavirus pandemic is a perfect example of when the [three lines of defense] and traditional risk governance don’t work very well. Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.” — Malcolm Murray, VP, Gartner Audit & Risk practice.

In this article, we cover:

An Overview of IRM and How It’s Different From Other Approaches

There are many factors that drive the overwhelming pace of change across financial firms’ risk profiles. These factors include:

  • The sweeping adoption of digital tools to meet consumer needs, which requires a reliance on external-facing third-party vendors.
  • The adoption of third-party vendors to manage behind-the-scenes complexities; often these new technologies and integrations must access consumer data collected by the firm, or they themselves collect more consumer data—a reality that leads to more subsequent risk.
  • Business expansion into other markets across the nation and around the globe, adding liability as both the number of consumers to protect and the number of regulators to adhere to multiply.
  • The reality of regulatory complexities, which is increasing on both a national and global scale.

How firms monitor, manage, and mitigate the risk associated with these factors depends on their risk and compliance philosophy. Here are two approaches that firms often take and how they compare to an IRM strategy.

Governance, Risk, and Compliance (GRC)

To understand IRM, it’s important to also understand how it came to be. In 2002, a series of financial scandals led to the passage of Sarbanes Oxley (SOX), a federal law that created a set of rules for accountants, auditors, and corporate officers, and imposed more stringent recordkeeping requirements on financial firms especially. As a result, the industry developed the discipline of “governance, risk, and compliance” (GRC) to keep up with and manage these SOX requirements.

Over time, the role of innovation began to play a more prominent role within the governance, risk, and compliance discipline to both align IT with business objectives, and effectively manage risk and meet compliance requirements. This ultimately led to the creation of GRC-focused technology designed to help companies achieve these goals.

As time has passed, the GRC acronym has become synonymous with the GRC technology itself, which has led to the framework of the GRC discipline being conflated with the technology that powers it. But the framework that connects governance, risk, and compliance is an essential part of monitoring, managing, and mitigating risk effectively.

A conventional GRC framework is typically carried out by the three lines of defense, which are each responsible for a different aspect of overall risk management:

  • 1st line of defense: Line management should act as the first line of defense, identifying risks and implementing controls.
  • 2nd line of defense: Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes.
  • 3rd line of defense: Internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.

(Source: Gartner)

While the three lines of defense model is important, it can also make reacting to new risks difficult because it is more meticulous and is often disjointed from the rest of the organization, including at the executive and board level.

Enterprise Risk Management (ERM)

As SOX compliance auditing and the GRC framework were taking shape, the role of enterprise risk was evolving as well. Risk mitigation was historically covered by purchasing insurance—such as property insurance, liability insurance, and malpractice insurance—to deal with literal events like natural disasters and theft, as well as lawsuits and claims relating to damage, loss, or injury. However, as more drivers of risk began to surface for firms, risk professionals expanded their purview to include risks associated with technology (particularly technological failures), company supply chains, and business expansion.

In response to this expanded risk profile, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created the concept of Enterprise Risk Management (ERM) to spot risks and map them throughout a traditional company structure. ERM typically involves the highest levels within an organization, including executive and board-level decision makers, as it is intended to connect all of the departments across the organization.

While ERM is meant to help organizations proactively manage and mitigate company-wide risks, it does not oversee the management and implementation of the measures necessary to prevent and mitigate risk, especially in relation to regulatory compliance.

Integrated Risk Management (IRM)

In 2016, Gartner revisited the concepts of GRC and ERM and determined that each, while critical, didn’t fully connect all of the dots from a risk and compliance perspective. So, Gartner created a renewed framework that addressed both the high-level strategy of managing risk, as well as the hands-on work of making these strategies possible. And so Integrated Risk Management was born.

The numbers speak for themselves:

  • 57 percent of senior-level executives rank “risk and compliance” as one of the top two risk categories they felt least prepared to address.
  • 87 percent of organizations see tech risk management as a siloed, reactive process rather than an organization-wide function for proactive risk management.
  • Only 4 percent of organizations feel that their third-party risk management tools fully integrate and capture overall risk for reporting purposes.

IRM helps organizations address all of these concerns. It is an umbrella approach that bridges ERM and GRC—both relying on ERM strategy to identify risk drivers, and the framework of GRC to implement the actual work of compliance. Through this connection, IRM creates a comprehensive view that:

  • Exposes any risk management gaps that exist due to silos
  • Proactively monitors, tracks, and implements compliance measures across all of the areas identified by the company’s executive-led ERM strategy

In turn, this enables companies to be more agile in their response to unforeseen circumstances, as IRM is both a top-down and bottom-up approach that includes executive and board-level leadership and the teams that do the actual work.

“Rather than putting compliance first, integrated risk management enables an organization to manage its unique set of risks that face its organization specifically and in turn meet compliance requirements as a part of that mission.” CyberSaint Security

The Six Practice Areas of IRM

Gartner defines IRM through six practice areas:

six practice areas of integrated risk management

1.  Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership

2. Assessment: Identification, evaluation and prioritization of risks

3. Response: Identification and implementation of mechanisms to mitigate risk

4. Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response

5. Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls

6. Technology: Design and implementation of an IRM solution (IRMS) architecture

Ultimately, IRM oversees, prepares for, and mitigates all of the aspects that make up a company’s dynamic risk profile, such as physical, technological, data-oriented, and regulatory risk. According to LogicGate, an agile GRC cloud solution and Ascent integration partner:

“Integrated Risk Management gives business leaders a clear picture of all their risks. With their newfound understanding of the enterprise’s dynamic risk profile, they can make better decisions at the enterprise level about which risks to mitigate and which to accept or transfer. By integrating risk areas and recognizing interdependencies, executives can ask more strategic questions about how risk is one part of the business impacts other parts of the business.”

LEARN MORE: Ascent GRC Integrations


The First Steps in Implementing an IRM Strategy

The first steps in building an IRM strategy focuses on two of the six practice areas (Strategy & Assess):

1. Outline your company goals and strategy

2. Determine which stakeholders ladder up to those areas of business

3. Identify the key risk drivers from those areas of business, including those associated with regulatory compliance

To identify the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use the most granular regulatory data in the industry to help risk and compliance teams pinpoint and map their regulatory requirements / obligations throughout their organizations. This is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within a firm’s existing regulatory compliance framework.

Our AI-driven technology called RegulationAI takes this process one step further, by keeping firms’ obligations updated so they never miss a regulatory change that could expose them to additional risk. These dynamic granular obligations are even more powerful when they’re seamlessly tied into GRC platforms, such as LogicGate and IBM OpenPages—a capability that Ascent has built through its API integrations.

To learn more about Ascent’s API integrations, contact us directly.