Risks of standardisation
Certain RegTech solutions are or may in the future be widely used in the market - where successful RegTech companies gain a considerable market share, where open-source solutions are developed and widely used, or where supervisors impose a Supervisory RegTech solution. The widespread use of the same tool, however, creates additional risks. Standardisation hampers innovation and means that less expertise is put to work, as there is no or less competition for the optimal RegTech tool. In addition, errors or inaccuracies in such widely used RegTech solutions might affect the entire market and thereby even create systemic risk.
Privacy, data-protcction and cybersecurity risks
The use of data mining techniques and cloud-based technology in RegTech solutions raises important privacy, data-protcction and cybersecurity issues.83 Technically, the
Benefits and challenges of RcgTech 441 collection of data and the use of cloud-based systems require the industry as well as supervisors to take robust safety measures against hacking and unauthorised data access (cybersecurity). From a legal perspective, privacy and data protection in the EU is to a large extent addressed by the General Data Protection Regulation. Buckley and others argue that the EU’s advanced data protection system has indeed been key to the development of RegTech in the EU.
Computing power and data capacity
The limitations of computing power and data capacity have long hindered RegTech, and especially Supervisory RcgTech, from reaching its full potential. As technology -including cloud computing - evolves, these problems will diminish.
RegTech goes hand in hand with a reduced reliance on human intervention to ensure compliance. This can have undesirable side effects: employees may feel less involved, which in turn may result in diminished motivation and professional commitment. It can even lead to a box-ticking mentality: if compliance with the law is perceived as a matter of RegTech, individual employees may no longer be ingrained with the fundamental principles of due care towards customers or lose their critical mindset. In view of the limitations of automated RegTech tools, these values are however of the utmost importance. A careful ‘human’ approach increases the likelihood that the people working in a RegTech context spot discrepancies and errors in RegTech tools in a timely manner and decreases the risk that they would exploit the limitations of RcgTech tools in a harmful way.
It is therefore necessary for the introduction of RegTech tools to go hand-in-hand with proper training of the people involved in their use. They have to fully understand how a RcgTech tool works, what its limitations are, how anomalies can be detected and - more generally - what the ultimate goals of the regulation are. In addition, any RcgTech compliance system should be embedded in a broader corporate culture committed to ‘goodcompliance, not mere compliance’. Corporate culture can in turn be supported by RegTech systems to detect non-compliance risk.
Regulatory RegTech: additional problems of democratic legitimacy and regulatory accountability
With regard to Regulatory RegTech, Micheler and Whaley point to the additional problem of democratic legitimacy and regulatory accountability. Regulators who want to issue or endorse regulation in machine-readable language or in computer code need to cither hire computer experts to work closely together with policymakers and/or lawyers or outsource the translation of regulation into machine-readable language or computer code to technology providers. The latter approach might appear more efficient, but would affect democratic legitimacy and regulatory accountability, especially in cases where the regulators allow private providers to exercise discretion when translating natural language, which often leaves room for interpretation, into computer code, which is much more precise.
-  Enriques (n 12) 55. See also ROFIEG (n 5) 15, recommendation 4. Certain EU directives regarding financial services also make this a legal requirement (eg, art. 13 (5) MiFID I, art. 18 AIFMD). 2 Buckley and others (n 20) 29-30 and 34. 3 Bamberger (n 3) 708. 4 Breeders and Prenio (n 14) 3, para 4,9, paras 18 and 17, para 49. 5 Compare to Kahneman’s findings regarding an/his attempt to rationalise an interviewing process for the recruitment of new candidate-soldiers: D Kahneman (n 75) 231: ‘These bright young people were displeased to be ordered ... to switch off their intuition and focus entirely on boring factual questions’. 6 Colaert (n 2) 73-74 gives examples regarding the MiFID suitability test. See also Bamberger (n 3) 714; Micheler and Whaley (n 10) 327; Breeders and Prenio (n 14) 19, para 60. 7 Colaert (n 2) 73; Buckley and others (n 20) 33.
-  Title of the contribution of Daniel KTarullo, ‘Good Compliance, Not Mere Compliance’ (Federal Reserve Bank of New York Conference ‘Reforming Culture and Behavior in the Financial Services Industry’, New York, 20 October 2014) http://www.fcderalreserve.gov/newsevents/spcech/ tartullo20141020a.pdf. See in this respect also BCBS, Operational Risk 2011 (n 68) 7, para 21; BCBS, Corporate Governance Principles 2015 (n 67) 9-10, nrs 29-32. Since 2010, the Dutch prudential supervisor (De Nederlandsche Bank) has explicitly included ‘behaviour and culture of financial organisations’ as one of its focus areas of supervision. See for a comprehensive report: De Nederlandsche Bank, ‘Supervision of Behaviour and Culture. Foundations, Practices and Future Developments’ (DNB 2015), https://www.dnb.nl/binaries/Supervision%20of%20Behaviour%20 and%20Culture_tcm46-334417.pdf. Several other supervisors have followed suit. 2 Tarullo (n 90) 6; IIF 2015 (n 1) 3, last paragraph, referring to Starling as a venture exploring such applications; BCBS, Operational Risk 2011 (n 68) 7, para 21; Basel Committee on Banking Supervision, ‘Compliance and the Compliance Function in Banks’ (April 2005) 14, para 38. 3 Micheler and Whaley (n 10) 161-162. 4 Colaert (n 2) 75. 5 IIF 2016 (n 8) 4; see also FCA, Feedback Statement 2016 (n 54) 11; Colaert (n 2) 75-76; Buckley and others (n 20) 28.