Facing the Reg Tech wave in financial crime
Though it has been stated that regtech is the new fintech, it is different in one fundamental aspect: it
is not there to compete but to facilitate GRC frameworks in organisations and to make them more
According to Richard Gluyas at The Australian, Treasurer Scott Morrison said that “The automation of
compliance with regtech has the potential to overcome individual foibles and human error in a way
that provides the quantum leap in culture and compliance that our regulators, customers,
policymakers and the community are increasingly demanding.”
This would suggest regtech has grown overnight. In fact, regtech simply means ‘regulatory technology’
and has existed in some form for many years.
“We have been developing what we have been developing for the last four years, way before even
hearing the term regtech,” Anthony Quinn CEO of Arctic Intelligence.
He said that from his perspective, it is a good thing because finally, there is a platform to showcase
what his company is doing and why they think regtech is important.
“We codify regulations, take them from the rule books of different regulations like AML, and then put
them into our platform,” Quinn explained. “Then, we have people go through those and assess how
their internal policies map against that particular external obligation, and what the risks are of getting
it wrong. What are the potential consequences of failing to meet that compliance obligation?
“Broadly, what we are trying to do is apply smart technology to regulations to make it easy for
regulators and regulated entities to comply with and identify where their gaps are so they can track,
manage and report them,” Quinn added.
What has changed?
“Everyone realises compliance is a problem,” Quinn told GRC Professional. “It is an issue, and it is hard
to do right.” He added that, at the moment, the trend is still in favour of regulated companies.
“If you look at the track record in Australia for enforcement action taken since the AML/CTF Act came
into effect in ten years ago, there has probably been less than 15 enforceable undertakings,” Quinn
said. “The biggest fine in Australia to date is $300 000. If you compare that to what has been
happening overseas since 2008, banks have been fined $26 billion for noncompliance. So any
Australian business that has a presence internationally—either from an AML perspective or an antibribery
perspective—needs to sit up and take notice of those laws.”
He added that these are the kinds of international developments heading this way.
Quinn said that with developments like the Foreign Account Tax Compliance Act (FATCA) and the
Common reporting Standard (CRS), where many countries around the world have agreed to share
information, the implications are that there are now thousands of financial institutions in Australia with
a new set of laws with which they must comply.
“You’ve got things like data privacy regulation, data retention regulations—all this stuff is coming in
and driving complexity,” he said.
Quinn believes there is still a lot of complacency amongst reporting entities—a huge challenge for
regulators, who have the job of regulating 14,000 businesses.
“Even if AUSTRAC were able to visit half of 1% of those, doing 70 site visits a year, I think they would
be doing well with the number of staff they have,” he said. Plus, regulators have their own challenges
when it comes to getting regulated entities to comply. This is why governance is a major initiative
under their information agenda.
“There is a massive gap in both the knowledge and the output being produced for risk assessments,”
Quinn said. “And for audit assurance, there is masses of varying quality.”
He added there is an understanding this needs to change; thus, regulators and those like AUSTRAC
and ASIC are working with industry to see what changes they can make.
“Regulators all have regtech as a highpriority initiative for government, and so that is another thing
turning in our favour,” Quinn said. “Before, you couldn’t approach a regulator and say ‘I have some
good technology we can start using for the benefit for your regulation’. They just would not have been
open to that kind of approach. Now, we are actively talking to domestic and international regulators.”
Currently, there is a big movement going on where people are looking at how they can achieve their
compliance obligations—or, and from the regulators’ perspective, regulate all these reporting entities.
“People are getting more serious,” Quinn told GRC Professional. “Some foreign governments are
getting more aggressive in terms of how they are enforcing the law. There is a lot of social media
backlash, based on reputational point of view, that hits people instantly if they do something wrong, or
if they are fined. The ‘culture’ of compliance is becoming more important.”
Singapore and regtech
“If you look at how Singapore set up their own fintech communities, they reached out to all the banks
and said ‘what are your problems?’” Quinn said. “Then, they got about 200 problem statements from
different regulated entities and distilled those down into 100 problems. One subset of those problems
was around regulatory technology—so that could cover things like KYC, the same stuff we are doing
with risk assessment and assurance.”
He continued that they looked at the problems with a real business need, and then tried to find
entrepreneurs working on technologies that might solve those needs and problems.
Regtech and traditional companies
Quinn believes both regtech and incumbents in the financial industry can coexist. He highlighted that
there is no reason why a big firm cannot use the technology of a regtech company to run independent
“I think where you have a regtech company that is typically small, sometimes formed in the back of
garage with a good idea that grows and grows and grows, then they have challenges of trying to sell
their software into established companies, because there are numerous hurdles that a small company
might have to overcome to be able to sell to a big organisation,” Quinn explained.
Quinn stated that sometimes, major corporations have attempted to create their own innovation
spaces, but tough corporate cultures often fail to foster that creative culture of innovation. As a result,
they have a low tolerance for failure.
Impact on ‘Regulatory Fatigue’ and the ‘Compliance Burden’
“Nobody likes compliance. Ten years ago, if I had pitched the fact that the banks have to comply with
antimoney laundering laws—and I did…well, it is a pretty hard conversation when you go to a bank
and say ‘you have to do all this new stuff’,” Quinn said.
He added people are already fatigued, and then they are asked to deal with a wealth of new laws and
regulations. “Certainly, it is not getting any easier for regulated entities to comply with laws that are
coming out, or those that are continually being updated and refreshed,” Quin explained.
It is important to remember, however, that there are those organisations that choose to hide behind
this notion of being ‘fatigued’ as an excuse.
“For Tranche 2 laws for AML, now 10 in years in the making, they are still not introduced,” Quinn said.
“You’ve had major lobby groups like the legal professional associations, the real estate associations,
the accounting associations—you name it—fighting very hard and citing huge cost considerations, and
burdens, and things like that.”
Quinn said he is sympathetic because often organisations have very tight budgets, and in many cases
simply lack access to affordable advice and affordable technology.
That is where regtech comes in. “That’s why we are meeting with regulators to get them comfortable enough so that, when a regulated entity utilises the technology we are building, they are comfortable
the output is compliant,” Quinn explained.
From a financial technology perspective, there is certainly the clear view that a more efficient way to
face and meet compliance obligations exists. Quinn recognises the challenge of meeting new and
updated compliance obligations, and this holds particularly true in an environment of limited
resources, where organisations are still trying meet existing compliance regulations.
Having automated processes take over some of the more mundane tasks tackled by compliance
managers will leave them with more time to dedicate to making decisions and adapting their GRC
frameworks to face the new and updated regulations when they arrive.