RegTech - the use of information technology in the context of supervisory processes - is nothing new, but only a further step in the interactive evolution of finance and information technology.
By reducing information asymmetries and their related costs, RegTech allows financial institutions to comply with regulation more efficiently and supervisory authorities to enhance their capacity for deterrence. However, RegTech also presents important perils for the financial system, namely: (1) risks related to technology vulnerability (operational and cybersecurity risks) and (2) automation biases that weaken overall personal responsibility and decision-making effectiveness and encourage financial institutions to privilege organizational self-interest over sound management. Moreover, RegTech raises imbalances in resource allocation effectiveness between financial institutions and supervisory authorities. While the former can easily invest in RegTech, the latter are bound by operative constraints and funding discontinuities. In the presence of these issues, the most efficient policy for addressing the evolution underway in supervisory processes is investing in the "human factor."
By (re-)striking the balance between technology and humans, the perils of RegTech are contained for the good of the whole financial system: supervisory processes are subjected to accountable safeguards against technological breakdowns, and human judgment and personal responsibility in decision-making are preserved.
CONTENUTI CORRELATI: information technology - supervisory process - human factor
1. The use of technology in supervisory processes: the benefits of RegTech - 2. The risks of RegTech: technology vulnerability and automation bias - 2.1 Technology vulnerability - 2.2 Decision-making effectiveness and automation bias - 3. RegTech investments and imbalances in resource allocation effectiveness between financial institutions and supervisory authorities - 4. Defining RegTech policy: investing in the “human factor” to (re-)strike the balance between technology and humans in supervisory processes - 5. Conclusion - NOTE
Finance and information technology (IT) have always been closely connected. In the aftermath of the Global Financial Crisis (GFC), FinTech - the new financial industry that applies technology to improve financial activities - is moving this relationship an important step forward[1]. In recent years, as part of this effort, the word RegTech (a syneresis of "Regulatory Technology") has been adopted by the industry to refer to applications «focused on developing common technological solutions to regulatory processes»[2]. Simply put, RegTech consists of the use of cutting-edge digital technologies in the context of financial monitoring, reporting, and compliance[3]. The origins of RegTech have already been analyzed by some legal scholars. They have clearly highlighted that, although RegTech developed within the traditional financial industry in response to post-GFC regulation, it is now attracting the attention of supervisory authorities engaged in managing genuine, complex and dynamic financial systems[4]. This adoption of RegTech by public authorities has recently been referred to by the term "Supervisory Technology" or SupTech[5]. The legal scholarship has highlighted that RegTech is both a great opportunity and an immediately necessary "must do" for supervisory authorities if they are to effectively exercise their powers and accomplish their mandate to act as financial watchdogs. Indeed, it has been stated that «just as finance is rapidly becoming automated, so too must financial regulation»[6] and, consequently, that «regulators must invest heavily in the development of proportionate, data-driven regulation in order to deal effectively with innovation without compromising their mandate»[7]. The benefits of RegTech for financial institutions have been clearly delineated in the literature and mainly consist of opportunities to implement financial regulation while reducing both the size of compliance staff (as well as overlapping compliance "silos" in favor of more flexibility within the business organization) and fostering an alignment between business operations and compliance functions[8]. Moreover, it has also been stressed that RegTech enhances risk management, ensuring a qualitative improvement of compliance processes, and ensures that financial institutions are provided with consistent enterprise-wide datasets, while decreasing the overall amount of manual paperwork, which comes with certain risks. Of [...]
The above-mentioned benefits are just one side of the RegTech coin. The other side relates to certain risks it carries. Two different areas of risks can be outlined: one related to IT itself, and the other related to the consequences of constant and intense reliance on IT in decision-making processes.
As with any other technology, IT is a product of human creativity and, consequently, it is imperfect. Such imperfection makes IT highly vulnerable both to errors and to hacking attacks. Consequently, in the context of IT, both operational and cybersecurity risks should be carefully addressed. More specifically, IT operational risk presents itself when, for any reason, errors are introduced into or develop within any aspect of a computer system, from its design to its testing to its operation within the organization in which it has been implemented. Because IT errors happen very frequently, it «is widely acknowledged that there is no such thing as flawless software» or, in other words, that «software always has bugs»[13]. Moreover, the probability that an IT system is affected by bugs (or other errors) increases proportionally with the complexity of the system. For this reason, some computer experts have highlighted that current IT - RegTech included, of course - is, «in many ways, far less reliable and more prone to bugs than it was in the past»[14]. Moreover, it is well known that, if IT operational risks materialize, their consequences can be «catastrophic», depending both on the seriousness of the bugs and the interconnections that link the affected code with other computer systems[15]. Likewise, IT raises cybersecurity issues because computer systems are vulnerable to hacking[16]. Certainly, efforts to resist ill-intentioned third-parties are always ongoing, but the threat that hacking will seriously disrupt financial systems is constantly rising, which can be seen especially in the significant and damaging security breaches and data thefts resulting from computer hackers that are reported daily[17]. As RegTech increases both overall reliance on computers and IT interconnections within financial markets, the challenge of implementing secure safeguards against cyberattacks becomes ever more important. It has been pointed out that this challenge confronts both financial institutions and supervisory authorities. Consequently, it is likely that their alignment of interests will be leveraged to ensure that all financial players can benefit from the best firewalls available[18].
IT is far from being completely neutral from a human point of view. Indeed, designing IT systems always implies evaluative choices, such as those regarding the data and descriptive features to use when composing a dataset or the set of assumptions defining the model selection criteria of machine learning algorithms[19]. These choices inevitably embed both the cognitive biases and other "heuristic" subjectivities that unconsciously characterize the human mind and that generally «permit [it] to make efficient decisions even in situations of uncertainty»[20]. Although these biases and subjectivities are masked by the complex infrastructure of IT, they directly affect the outcomes of the overall process. Moreover, understanding how much the final outcomes are biased is far from easy, since this depends on the likelihood of being able to understand the procedures by which a computer system arrives at a particular outcome. In some cases - commonly referred to as "black boxes" - this can be extremely hard, if not impossible, even for IT experts[21]. As has been recently pointed out, an emphasis on transparency - the remedy most often claimed to be the best way to deal with situations of complexity and opacity - can help but does not solve this problem[22]. Therefore, if not accompanied by adequate awareness and properly managed, IT over-reliance can deeply affect human judgment, which tends to completely disregard these cognitive biases and subjectivities and also to consider computer-generated solutions to always be correct. Alternative or contradictory information is not taken into consideration and a further, secondary bias arises. This has been called «automation bias»[23]. Empirical studies have demonstrated that this bias is «most pronounced [both] when […] technology fails to flag a problem» and when computer-prompted outcomes comport «with the financial interest of the decisionmaker», supporting the opinion that automation biases both weaken personal responsibility and decision-making effectiveness and affect organizational choices in privileging self-interest over sound management[24]. Automation biases in supervisory processes can cause financial institutions to inadvertently underestimate risks as well as intentionally opt in favor of excessively risky decisions, justifying these decisions by embracing complex algorithms and computer-generated solutions as authoritative support for them. [...]
In addition to introducing important risk-related concerns into supervisory processes, RegTech also raises other concerns about resource allocation effectiveness. As can be easily understood, the implementation of complex RegTech architectures inherently requires considerable financial resources. Unfortunately, there is a significant imbalance between the abilities of financial institutions and supervisory authorities to afford these costs. Indeed, on the one hand, financial institutions are private, profit-driven organizations in which «those in control […] - the board and its executives - have strong incentives to maintain or strengthen operations» and, consequently, are quite willing to invest massive financial resources into RegTech, with the expectation that technological solutions will transform the cost burden today into higher profit tomorrow[28]. On the other, supervisory authorities are public institutions subject to political processes; their capacity to invest is strongly influenced both by operative constraints and funding discontinuities. Consequently, they experience many more difficulties in raising adequate funding for proper IT equipment. For this reason, they inevitably lag behind in the competition to employ RegTech. Moreover, supervisory authorities face a funding dilemma: if the available resources are insufficient, their efforts to enhance their deterrent abilities may be completely unsuccessful, but if the expenditures become excessive, the high expectations for RegTech may prove altogether illusory. Indeed, the promise of increased efficiency (in terms of expenditure savings) is immediately dampened by the cost burden on the public which must support the investments[29]. For these reasons, supervisory authorities are often unlikely to develop RegTech projects. The development of IT systems assumes the commitment of a variety of extremely skilled teams. As has been highlighted in the literature, supervisory authorities currently lack human resources with this kind of expertise within their staffs; consequently, for IT systems to become a reality, such teams need to be formed ex novo. However, operative constraints and funding discontinuities constitute insuperable obstacles to doing so, at least until adequate non-financial incentives develop and emerge to encourage engineers and IT experts to choose careers working for supervisory authorities[30]. It is conceivable that such funding limitations would not [...]
The picture of RegTech resulting from the analysis so far outlined illustrates both its benefits and perils, raising questions about which policy prescriptions might best address current supervisory processes while maximizing the benefits and minimizing the perils. As the focus on the resource allocation effectiveness issues affecting supervisory authorities highlights, such questions are even more crucial when the huge amount of funding needed for RegTech is absent. Indeed, the prevention of risks can greatly reduce the need for ex-post responses, and the saved financial resources could properly be re-allocated in order to achieve other goals. To correctly answer the questions about policy, the current mainstream paradigm of "automated compliance/automated supervision" must not ignore the most important part of the equation; specifically, that financial processes are, first and foremost, inherently human: regardless of how much financial events can be rationally explained, foreseen, and computed, they continuously unfold in a world that is very often characterized by emotional, flawed, whimsical, and random behaviors[33]. Consequently, even in a context in which «[i]t is increasingly clear [that] success depends in large part on the extent to which technology is used to support decisions as well as automate them»[34] and overall financial reliance on IT increases, humans are even more needed. The brain, «with its billions of neurons and trillions of synaptic connections, [still] remains one of the most sophisticated and powerful of all analytical machines»[35], and humans are the only entities that can effectively deal with both sides of financial processes. Thus, the main priority of a policy aimed at addressing the ongoing evolution of supervisory processes must be investing in the "human factor" to (re-)strike the balance between technology and human beings[36]. Implementing this priority inevitably involves the pursuit of two goals, both decisive for the final success of RegTech. The first represents the immediate need to hire (and train) IT-competent personnel who can properly employ sophisticated digital technologies. The second is making use of regulation to promote the development of ex-ante personal responsibility among previously identified, tech-savvy individuals operating within the world of RegTech, so that technology can be used mindfully while pursuing supervisory aims. The regulatory policy referred to [...]
This paper focuses on RegTech, the 21st century version of the adoption of IT in supervisory processes both by financial institutions and supervisory authorities, and highlights the benefits it brings in monitoring, reporting, and compliance activities (mainly, a reduction in costs and information asymmetries). However, the paper also warns of the illusory dream that RegTech can create «systems so perfect that no one will need to be good»[45]. Indeed, RegTech comes with perils; namely, those related to the vulnerability of technology (both operational failures and cyberattacks) and the risk that automation biases induced by over-reliance on IT will compromise both management soundness and the effectiveness of decision-making processes, with potentially detrimental effects for the whole financial system. In addition, RegTech raises significant resource allocation effectiveness issues related to the evident imbalances between well-funded and investment-oriented financial institutions and supervisory authorities, whose willingness to invest in RegTech is limited by both operative constraints and funding discontinuities. As the paper underlines, these imbalances highlight important questions about how supervisory authorities will be able to keep up with the evolution underway in supervisory processes, for instance about their capacity to employ personnel with a sufficient amount of IT expertise in the years to come. These questions cause commentators to wonder about proper policy measures to best address RegTech, emphasizing its benefits while containing its risks. The paper proposes that investing in the "human factor" is both a priority and a quite effective policy because it (re-)strikes the balance between technology and human beings, whose unique skills are becoming more needed and important in the current tech-driven financial context. Moreover, the paper outlines that this policy option aims not only at hiring and training more engineers and computer experts, but also at promoting their personal responsibility for containing the risk of technological breakdowns, and at preserving decision-making effectiveness and the final accountability of supervisory processes. To achieve this goal, multilateral dialogical discussion and reporting are essential. Consequently, these must be incentivized instead of reduced or eliminated. Thanks to these suggested policy efforts, it can be expected that the risks of RegTech will be sufficiently [...]