directors counsel

Back in January, the Australian Securities and Investments Commission (ASIC) announced it was working with five regulatory technology firms on data-driven solutions to identify and assess poor market disclosure by listed companies. Funding for the ASIC-led project comes from the Business Research and Innovation Initiative (BRII) which was introduced by the Commonwealth Department of Industry, Science, Energy, and Resources in 2015. This year’s round of the BRII is focused exclusively on regulatory technology — usually referred to as “regtech” — and is providing early-stage support to Australian SMEs and startups working on regtech solutions in four disparate areas: market disclosure, asbestos testing, marine autonomous systems assurance and automated monitoring of export livestock health and welfare.

Regtech has been with us for a while. In its simplest forms, it assists regulated entities by building technology-enabled business systems and processes that embed the required steps for compliance with applicable laws. Regtech is intended to improve compliance outcomes and enhance risk management capabilities, while reducing the costs of regulatory reporting, data collection and risk management. Industry numbers suggest that the Australia regtech sector — with 80 local regtech companies — is third largest behind the US (174 firms) and UK (109). This may be a function of the complexity of Australian regulatory frameworks rather than the size of the economy. Most regtech firms operate in financial services, but as the new BRII projects show, there are potential applications across all kinds of regulated activities.

The ASIC project on market disclosure falls into a subcategory of regtech known as supervisory technology, or “suptech”. Suptech was defined by the Financial Stability Board in 2018 as the use of digital tools and solutions — including hardware and software — by public sector regulators and supervisors to carry out their responsibilities. In 2021, an OECD report on the use of artificial intelligence (AI) in business and finance identified suptech as an important and growing area of regulatory practice. This reflects the “potential of digital technologies and data to automate and thus improve the efficiency and effectiveness of supervisory and enforcement processes”. Data science is used to enhance the surveillance, analytical and enforcement capabilities of regulators by mining large structured and unstructured data sets for non-obvious patterns and insights that point to actual or emerging compliance failures.

Generational change

The literature points to four generations (so far) of suptech — descriptive, diagnostic, predictive and prescriptive. The OECD explains that “while the first generation covers primarily manual data management workflows, the second involves the digitisation of certain paper-based processes in the data pipeline”. These early generations are useful for describing what happened — and diagnosing why it happened.

In a continuum, “the third generation covers big data architecture, and the fourth involves AI as its main attribute — both enabling predictive and prescriptive analytics, in addition to enhanced descriptive and diagnostic analytics (that is, predicting what will happen and prescribing anticipatory action).”

Most regulatory agencies operate in first- or second-generation environments. Internationally, a 2020 survey of 21 market conduct and financial consumer protection authorities indicated that suptech is mostly used by them to collect or analyse data or automate workflows. Moving from the first to the second generation involves replacing paper-based reporting with web-based portals, often combined with “ask once” or “tell government once” policies like those at Service NSW. But digitising regulatory reporting involves significant challenges. The European Commission is developing a strategy on supervisory data to ensure that “(i) supervisory reporting requirements (including definitions, formats, and processes) are unambiguous, aligned, harmonised and suitable for automated reporting; (ii) full use is made of available international standards and identifiers including the Legal Entity Identifier (a unique global identifier for legal entities participating in financial transactions); and (iii) supervisory data is reported in machine-readable electronic formats and is easy to combine and process”. For many Australian businesses, even that seems a long way off.

Later generations of suptech use big data architectures and sophisticated AI to anticipate when compliance failures will occur and allow regulators to respond to avert them. Work published by the Bank for International Settlements in 2019 explains that this “takes automation one step further by having “machines” drive parts of data management and analysis, as well as inform authorities’ actions. The former might entail leveraging natural language processing to scrape data from the web or using ML to match and merge disparate data sets. The latter can take the form of recommendation engines that suggest courses of action, or even chatbots that execute supervisory tasks previously performed by humans, such as responding to and resolving customer complaints.”

Here and now

The OECD identifies several potential benefits of suptech for regulators. It enhances their detection capabilities, improves efficiency in enforcement (including in managing and analysing evidence, and monitoring adherence to agreed settlement terms) and improves data collection and management to produce actionable, non-obvious regulatory insights. Australian regulators already use sophisticated forms of suptech to detect potential non-compliance. For example, ASIC’s Market Analysis and Intelligence (MAI) platform collects real-time data feeds from the ASX and Chi-X, and includes an alert monitor that detects and identifies abnormalities in equity market orders and trades. MAI also allows analysts to drill down and analyse market data to identify trading accounts that may be engaging in insider trading or market manipulation. ATO data (family relationships, addresses) has been used to create a data set of an anonymised map of linked trading accounts, which will be linked to MAI trading data to create different analytics to improve ASIC’s surveillance capability to identify market misconduct.

However, the OECD also points to risks “that commonly arise upon large technology platform and software transitions, as well as risks that are transversal in nature due to the digital environment itself”. Other practical and legal challenges can also arise in integrating suptech tools into legacy systems — and from insufficient communication with stakeholders. The OECD concludes that “technical issues and risks stemming from the digital nature of suptech solutions also need to be accounted for, including risks related to: cyber and data security; third-party dependencies; data localisation (potentially causing cross-border issues), as well as poor-quality algorithms or data, and opacity in the design and outputs of suptech tools (ie a “black box issue” potentially entailing reputational risks)”.

Given the consequences for companies and individuals that can flow from regulatory action, such risks must be carefully managed — and not just because of potential harm to the regulator’s reputation. The ethics of AI and automated decision-making (ADM) are relevant for both regulators and regulated. Transparency in the development of suptech can be difficult if it allows regulated entities more easily to game the system, but meaningful scrutiny of these developments is important. As Australia belatedly moves to develop its regulatory framework for AI and ADM, its growing use by regulators should be an important focus.