Keynote Address by Jonah Crane, Delivered at “The Future of RegTech,” Innovate Finance Transatlantic Working Group, June 23, 2017
As Prepared for Delivery
Thank you, Dan. And thank you to Innovate Finance for inviting me to be here, representing the FinTech Innovation Lab and the Partnership Fund for New York City. Innovation is flourishing in both London and New York, each supported by a rich ecosystem of industry expertise, financial and human capital, and physical and social networks. I’m happy to be here and to contribute to the important efforts of the Trans-Atlantic Working Group.
I will begin by introducing the FinTech Innovation Lab, then I will offer some observations on the intersection of FinTech and financial regulation, discuss some important trends in what has come to be called RegTech, and finish with some recommendations for FinTech firms and regulators.
FinTech Innovation Lab
The FinTech Innovation Lab is run by the Partnership Fund for New York City, together with Accenture. The Partnership Fund has invested $150 million as part of its mission to create jobs and expand the New York City economy. It is the investment arm of the Partnership for New York City, which represents the CEOs of the 300 largest employers in New York.
The Partnership Fund started the Lab over seven years ago to capitalize on the tremendous resources available in New York City and to keep New York at the cutting edge as a financial center.
The idea was, and remains, to connect early and growth stage financial technology companies with experts in the field, and facilitate access to senior financial industry leaders who could become potential clients. During the 12-week mentoring program, companies work with 30 financial institution mentors, and four resident experts, to validate use cases and business models, and gain important insights into the business of banking, insurance, and capital markets.
As of yesterday, 47 companies have graduated from the lab, launching or completing170 proofs of concept. Lab alumni have raised $463 million in financing after participating in the program, creating 385 jobs. And four alumni companies have had successful exits.
This year, in response to growing interest in FinTech on the part of regulators, and growing awareness within the FinTech community that regulatory issues need to be addressed up front, the Lab added a “regulator in residence.”
My role has been to help companies understand and address their own regulatory issues, as well as the regulatory and compliance expectations facing the firms they want to partner with. Just as often, however, I have found myself helping companies identify regulatory pain points that their technology can help solve.
FinTech and Financial Regulatory Policy
Having participated in Treasury’s policy work on FinTech, and now working in the field with FinTech companies, maybe I am well-positioned to challenge a couple pieces of conventional wisdom about the intersection of FinTech and financial regulation. My goal is not to antagonize, but rather to focus debate on where those bits of conventional wisdom have the most salience.
The first piece of conventional wisdom I would like to challenge is the proposition that the primary obstacle to financial innovation in the US is regulatory uncertainty. For one thing, financial regulation generally applies to products or services regardless of the delivery channel. In other words, when it comes to regulation, FinTech companies are more “Fin” than “Tech.”
The high-profile mistakes we’ve seen have generally not been a result of unclear regulatory requirements. They have involved marketing products or services nationally that were not available in all states, or selling insurance products without the necessary licenses, or misleading consumers about the company’s level of data security.
That is not to say that the regulatory system cannot be improved in ways that would facilitate innovation.
One area of particular complexity in the US is the fragmentation of regulatory authority: three federal banking regulators, the CFPB, two market regulators (plus SROs), and the FTC—not to mention multiple state regulators. This problem is unlikely to be resolved in a structural way any time soon, so regulatory coordination at the federal and, especially, state level will be necessary.
A related contention is that US regulators are lagging behind their peers. I would just remind everyone that the CFPB launched Project Catalyst back in 2012, so they were well ahead of most of the rest of the pack. To the extent the US has lagged, it’s mostly a function of a fragmented regulatory system.
But make no mistake, the regulators are engaged. Last year, the OCC formed an Office of Innovation, and just this summer the CFTC announced its own New York-based lab, LabCFTC. The FDIC has a steering committee, and the SEC and FINRA have formal staff initiatives. The Fed has a point of contact and staff across the Federal Reserve System are engaged in significant policy work.
The final piece of conventional wisdom I’ll question is the notion that moving from rules-based to principles-based regulation will open up the innovation floodgates.
Principles-based regulation sounds good, but in practice industry wants to know exactly what they must do to be compliant. Regulation by enforcement is unpopular, but that is often the flip side of the principles-based coin. (I should note there is also a tension between the drive to automate compliance–by adopting a number of RegTech solutions, which I’ll discuss momentarily–and a principles-based approach.)
Of course, our system is something of a hybrid, with certain aspects of financial regulation governed by broad principles. The clearest example applicable to FinTech is the CFPB’s authority to prohibit products or services that are unfair, deceptive, or abusive (UDAAP).
The CFPB has used that authority to bring enforcement orders against FinTech companies: against Dwolla for making deceptive claims about its data security practices, and against LendUp for advertising loans nationally that were not actually available in most states. The CFPB has also successfully based a UDAAP case on violations of state law.
So it’s important to think about what a workable principles-based approach requires. That’s a topic for a longer discussion, but I’ll make one point here: Firms will need to work proactively to understand regulatory objectives, and build products and services consistent with the spirit, not just the letter, of the law. If they can internalize a culture of compliance, they will deserve the benefit of the doubt, rather than second-guessing based on 20/20 hindsight. For their part, regulators must provide sufficient guidance and feedback that firms understand what they are trying to achieve.
RegTech: Shifting the Risk/Cost Curve–and More?
With that backdrop, let’s turn to RegTech. Let’s begin by agreeing on what we mean. What is RegTech, other than a portmanteau only slightly more awkward than “FinTech”?
For today’s purposes, in deference to our host Innovate Finance, I will use the FCA’s definition: “the adoption of new technologies to facilitate the delivery of regulatory requirements.”
The promise of RegTech, to borrow from the FCA once again, is its potential to enable more efficient and effective regulation and compliance. The effect is to allow companies to meet increasing compliance requirements without a 1-for-1 increase in costs. Or, as stated by Marc Andrews of IBM, the goals is to shift the risk/cost curve:
“Today you have to make a decision of what your risk tolerance is and, based on that, the level of compliance you want to adhere to, which will drive a certain level of cost. If you want to reduce your risk, you need to increase your costs. We are shifting the risk/cost curve, and enabling banks to address increasing compliance requirements and reduce their risks without continuing to grow costs.”
Most existing RegTech solutions operate along one or both of those dimensions—reducing the cost of compliance via automation, or leveraging technology to deliver more effective compliance (for example, by accessing broader data sets or employing better data analytics).
In the U.S., financial institutions spend an estimated $60-$70 billion annually on compliance. The number is estimated to be $100 billion globally, growing to nearly $120 billion by 2020. A recent global survey of compliance managers indicated that 54% plan to increase spending on RegTech in coming years. Based on my experience with the Lab, I would guess it’s actually much higher than that, at least in the US.
Industry Pain Points: RegTech Use Cases
What problems is RegTech trying to solve?
- KYC/AML. One of the most severe regulatory pain points experienced by financial institutions today is the anti-money laundering regime (AML). AML rules require financial institutions to verify the identity of customers (know your customer, or KYC) and monitor transactions for suspicious activity. Both requirements present significant challenges.
Dozens of new tools are being developed for identity verification—from using big data and machine learning and behavioral biometrics, to the development of digital identities managed in a distributed ledger. Two FinTech Lab companies from this year’s class—Alloy and BehavioSec—have solutions in this space.
Transaction monitoring is also particularly challenging. In many cases, over 90% of the transactions flagged by existing systems are false positives. More accurate risk assessments, and more efficient processing of alerts, would reduce time spent reviewing all those false positives, achieving as much as $4 billion in savings according to one recent estimate.
The stakes can be high—JP Morgan was fined $2 billion in 2014 for weak AML controls—so financial institutions are taking a belt and suspenders and duct tape approach. There is a lot of opportunity for RegTech startups in this space, but it is also a crowded field.
- Regulatory interpretation and monitoring. Perhaps the most obvious application of RegTech is simply automating the interpretation and monitoring of regulatory obligations. IBM announced last week that it is creating a library of rules and guidance that can be customized by geography, business, and product type. Automating these processes can free up compliance staff to focus more on analysis and problem-solving.
- Regulatory reporting. Reporting requirements have grown in complexity–daily liquidity reports, stress test reports, and Form PF reporting by hedge funds to name a few. RegTech companies are increasingly helping financial institutions stitch together information from across business lines to produce reports.
- Employee Conduct. Natural language processing and machine learning algorithms are also being used to analyze trading activity, and internal or customer communications, for fraud or employee misconduct.
So far, we’ve discussed RegTech solutions that reduce cost through automation, or improve efficiency with data and analytics and machine learning. Other initiatives have the potential to bring more of a paradigm shift in compliance, such as still-nascent proposals for KYC utilities—shared databases that multiple firms can use to more effectively verify customer identities. These are in the early stages, but have the potential to completely change the way regulation and compliance are conducted.
Despite the excitement and attention, there are reasons to temper expectations for RegTech adoption.
The first challenge is prosaic, but familiar to any vendor that has worked with financial institutions: the long sales cycle. FinTech Innovation Lab participants have experienced this first-hand. Indeed, one of the greatest attributes of the Lab is the assistance it provides to startups navigating that process.
One suggestion for speeding up this process is to get regulators to pre-certify certain technologies or tools. I’ll cut to the chase: that is not likely to happen. And we shouldn’t want or expect it to. Regulators are not in a position to pick winners.
But regulators do ultimately need to sign off on the approach taken by their regulated institutions. So they need to understand them. One of the main challenges facing regulators is what I call the “black box” problem. AI, machine learning, predictive analytics—these tools involve complex applications of data science on large and disparate data sets, often in dynamic ways. As model complexity increases, it becomes more difficult for supervisors and compliance officers to understand the model.
This “black box” problem was a consistent theme when Lab participants recently visited Washington for meetings with regulators—who all wondered why they should trust the outputs of complex machine learning tools if they don’t understand the algorithms that produce those outputs. For regulators to get comfortable with these tools, they will need to be confident that the models do what are “supposed” to do, and that outputs can be trusted. Here, RegTech may bear the seeds of its own salvation: automation should facilitate production of a complete audit trail. But there is undeniably a steep learning curve involved here.
Another obstacle to RegTech adoption is the reluctance of both financial institutions and regulators to embrace the move to the cloud. Most RegTech innovations are built as cloud-hosted solutions. That doesn’t mean they can’t be built locally when clients want that, but it makes adoption that much harder, that much more expensive.
Given these challenges, it’s important to exercise discipline in analyzing use cases: clearly understand the problems financial institutions need to solve, and focus on sustainably shifting the risk/cost curve.
Regulators as Users: “SupTech”
Before closing with some recommendations for regulators and FinTech firms, I will briefly address one of the interesting themes of the paper released today by Innovate Finance: the use of cutting edge technology by regulators. (I recently heard yet another cringe inducing word to describe this: “SupTech.”)
The reality is that “SupTech” will face even steeper obstacles to adoption than RegTech. Procurement processes are always lengthy in the government, and technology adoption slow to take root—recent news reports referred to floppy discs still being used in one agency. Regulators whose budgets are appropriated by Congress, like the CFTC and SEC, face persistent operating budget shortfalls and laws like the Anti-Deficiency Act that make it extraordinarily difficult to commit to long-term projects.
But regulators are increasingly aware of the need to get up the technology curve. The CFTC, for example, recently announced as part of its initiative that it would look at ways to improve its own use of technology. It is important for regulators to have sophisticated tools, and as Acting CFTC Chair Chris Giancarlo has said, 21st Century regulators can’t settle for using 20th Century tools.
Market surveillance is one area that can almost certainly be improved with the use of machine learning algorithms. The appropriate laboratories of innovation may be the SROs that oversee market conduct day-to-day. Another intriguing idea is to develop regulator “nodes” or “portals” into distributed ledgers, which could potentially revolutionize regulatory reporting, monitoring, and surveillance.
Regulators should be alert to technology developments—better to be incorporated into the infrastructure from the beginning than figuring out how to be added on later.
What Next? Some Recommendations for How to Proceed from Here
I’ll close with some recommendations for FinTech firms and regulators on how to approach the road ahead.
How should FinTech and RegTech navigate the challenges I outlined above?
- First, make regulatory compliance a priority—from the start. “Move fast and break things” is a treacherous approach to highly-regulated markets like consumer finance. Even Facebook now acknowledges that it ultimately slows you down to have to stop and fix things.
- Try to understand the regulatory objectives. Just because there’s not a specific rule prohibiting a specific practice doesn’t mean it won’t get you in trouble. The CFPB’s enforcement actions against LendUp and Dwolla are cautionary examples of a principles-based overlay on a rules-based system, and show that the spirit of the law matters as much as the letter. Build your product to serve the spirit of the rules, and work with regulators to fix the details if necessary.
- If you have a product that you think is consistent with the spirit of the law, but is bumping up against technical compliance requirements, proactively work with regulators—show them why the product is fair to consumers. This is the kind of problem no action letters can solve.
- Where possible, marshal data in your cause, to demonstrate why your RegTech solution is not just cheaper but more effective, why your product is good for consumers. One idea that has been discussed in the FinTech Innovation Lab is working with our 35 financial institution sponsors to develop anonymized data sets for FinTech innovators to use to test new products or services. Others, including Innovate Finance, have made similar proposals.
- Be willing to start small. Much has been made of sandboxes, and in the US we have 50 natural laboratories of innovation: the states. California is the World’s 6th largest economy, and New York number 11. Those are large sandboxes.
For their part, policymakers and regulators should focus on three things:
- Engagement, engagement, engagement. Regulators will always be somewhat behind the innovation curve—indeed, it would be strange if they were not. But US regulators are now engaged. More frequent guidance from regulators could be helpful in clarifying regulatory expectations and objectives. Regulators have many tools at their disposal—FAQs, guidance, no action letters, pilot programs. They should use them.
- Fragmentation is one of main challenges inherent in the US regulatory system. It can hinder effective policy implementation and create headaches for regulated institutions. Information sharing will be critical to developing a coherent regulatory approach to emerging technology issues.
I should also emphasize coordination among states. They have opposed the OCC’s federal FinTech charter proposal, so the onus is squarely on them to develop a more streamlined approach.
- Embrace the cloud. It’s coming, and there is no reason to hold financial services back. If there are security concerns, regulators should coordinate with the private sector to establish key technology standards to facilitate the transition.
 In CFPB v. CashCall, the U.S. District Court for the Central District of California granted CFPB’s motion for summary judgment. The court held that, by attempting to collect on loans that were deemed to be void in several states, CashCall had violated Dodd-Frank’s prohibition on unfair, deceptive, and abusive acts and practices.
About Jonah Crane
Jonah Crane is the Regulator in Residence at the FinTech Innovation Lab operated by the Partnership Fund for New York City, and provides strategic consulting for FinTech companies. Until January, Jonah served as the Deputy Assistant Secretary for the Financial Stability Oversight Council at the United States Department of Treasury. Prior to being named Deputy Assistant Secretary, Mr. Crane served as a Senior Advisor at Treasury. Before joining Treasury, Mr. Crane served as a legislative aide to Senator Charles E. Schumer, where he worked on the Dodd-Frank Act, the JOBS Act, and the Super Storm Sandy relief legislation, among other issues. Prior to joining Senator Schumer’s staff, Mr. Crane was a corporate attorney focusing on mergers and acquisitions at Milbank, Tweed, Hadley & McCloy LLP in New York. Mr. Crane received a J.D. from New York University School of Law.