Addressing the Rising Cost of Non-Compliance with RegTech

March 19, 2019 by Burt Esrig

In our previous RegTech blog post, we discussed we discussed how regulators are investing in the development of their own technological capabilities to quickly and efficiently manage data, and how this is evolving regulators' expectations regarding investment firms' use of tech. In this blog post, ACA's Burt Esrig illustrates how regulators' advances in tech are supporting their ever-broadening scope of responsibility, resulting in increased enforcement actions and fines. In this landscape, RegTech is no longer a "nice to have" for investment firms, but an imperative.


The adoption of regulatory compliance technology (RegTech) has increased in recent years and the reason is clear: not only has the financial industry’s regulatory framework become more complex and difficult to navigate, but the cost of non-compliance has also risen significantly.

According to the U.S. Securities and Exchange Commission’s (SEC) Enforcement Division’s (“the Division”) 2018 Enforcement Annual Report, 490 standalone actions were issued in FY 2018, 63% of which involved investment advisory issues, securities offerings, and issuer reporting/accounting and auditing collectively, with others relating to broker-dealer misconduct (13%), insider trading (10%), and market manipulation (7%).

The Division’s Cyber Unit became fully operational in FY 2018, further demonstrating the SEC’s continuing focus on cybersecurity. The Cyber Unit’s investigations led to 20 enforcement actions for cyber-related misconduct, with cases related to initial coin offerings (ICOs) and digital assets.

In the U.K., the Financial Conduct Authority (FCA) continues to focus on the Market Abuse Regulation, increasing its scrutiny of firms’ market abuse risk, trade surveillance, and controls, particularly at buy-side firms, and this has led to significant enforcement activity.  

This regulatory focus has served as a driving force for firms to invest in technology that not only helps meet compliance obligations more efficiently, but also more effectively. In order to appreciate the challenges that RegTech is looking to solve, it is important to look at the cost of non-compliance and how it has evolved in recent years.

The Regulatory Reach is Ever-Expanding

One of RegTech’s biggest impacts is that it has made record storage easier and more efficient. When it comes to regulation, this basic technical capability has provided the means to expand powers of surveillance and enforcement. Greater transparency obligations have armed regulators with the information with which to investigate cases of non-compliance. Equally, new rules promulgated over the last several years – covering everything from market abuse, data privacy, cybersecurity, best execution, inducements, anti-money laundering, bribery, and corruption – have broadened the regulators’ scope of responsibility.

Although the pendulum has started to swing away from overly prescriptive rules towards a more principles-based approach, this is not likely to reverse the demand for RegTech solutions. Looking at regulatory fines and investigations over the last couple of years shows a number of examples on both sides of the Atlantic that demonstrate regulators are only just starting to enforce new areas of responsibility.

More Regulatory Scrutiny, More Enforcement Actions

In the world of ever-increasing data privacy regulations, the UK’s Information Commissioner’s Office (ICO) in September 2018 issued the first enforcement action related to the EU General Data Protection Regulation (GDPR), against a Canadian data analytics firm for allegedly violating GDPR and the UK Data Protection Act (DPR).

The FCA has a record number of market abuse investigations open currently, with enforcement actions coming through for a range of offenses on both the sell side and buy side.

Electronic communication surveillance also continues to be a focus for regulators in both the U.S. and U.K. as a form of preventing and detecting financial crime within firms. The SEC, FCA, and Financial Industry Regulatory Authority (FINRA) have all issued enforcement actions that serve to remind firms across the industry of the need to allocate appropriate resources to continuously enhance their monitoring programs.

In the realm of cybersecurity compliance, the SEC’s Cyber Unit in 2018 brought the first case against a public company for failing to properly inform investors about a cyber breach, as well as the first enforcement action against a firm for violations of the Identity Theft Red Flags Rule. For the latter case, the charged broker-dealer/investment adviser agreed to pay a $1 million fine.

Also in 2018, the Commodity Futures Trading Commission (CFTC) ordered a registered futures commission merchant (FCM) to pay a $100,000 fine for their alleged failure to supervise their IT provider's implementation of key provisions in their information systems security program (ISSP).

A Broader Trend

These examples paint a clear picture across the industry: firms face broader obligations, closer scrutiny, and harsher enforcement than ever before.

This analysis is backed by aggregate statistics. The SEC’s Enforcement Division ordered $3,945 billion in disgorgements and penalties in FY 2018, an increase over FY 2017. In addition to the 20 standalone cases brought by the SEC’s Cyber Unit in FY 2018, the ended the fiscal year with more than 225 cyber-related investigations in the pipeline.

What the Future Holds

Globally, there are still many recently introduced regulations whose impact has not yet been fully realized across the industry. In Europe in particular, MiFID II has yet to be tested when it comes to enforcement. With GDPR having come into force on May 25, 2018, regulators are ramping up their enforcement activity related to GDPR non-compliance, presumably with more to come. Both sets of regulations are far-reaching in their scope, as well as in their extra-territorial nature and potential severity of penalties.

At the same time, initiatives such as the FCA’s Senior Managers and Certification Regime (SM&CR) (due to be extended to all investment management firms later this year) will further emphasize the need for individual accountability and professional competence. And while the current U.S. administration has signaled its desire to reduce the regulatory burden on firms, it has not yet made a material difference to the obligations of investment management firms themselves.

The RegTech Imperative

Participants in financial markets across the globe – individuals and institutions alike – face an ever-higher bar when it comes to the standards of behavior. To enforce those standards, regulators continue seeking greater transparency (through regulations such as MiFID II) and are introducing new surveillance systems (such as the consolidated audit trail in the U.S.).

Broadly, regulators regard technology as a key part of the industry’s roadmap (as detailed by FINRA’s recent report on RegTech and the FCA’s 2018/19 Business Plan). In addition, regulators are investing in their own technological capabilities to better perform their supervisory duties.

In the U.S., the SEC can analyze large amounts of trading data using its own National Exam Analytics Tool (NEAT), as well as review specific market activities using its Market Information Data Analytics System (MIDAS).

In the U.K., the FCA employs its Market Data Processor (MDP) System to analyze trading records for suspicious activities as well as interface with the European Securities and Markets Authority’s (ESMA) Transaction reporting exchange mechanism (TREM) to exchange transaction reports with other National Competency Authorities (NCAs).

Technology has a clear role to play in compliance, and this will continue to evolve and grow. With IT contributing to the closer regulatory scrutiny of investment firms, and regulators expecting firms to be able to produce large and specific data sets on demand, RegTech is no longer a “nice to have,” but an imperative.

From helping to capture and disseminate the impact of new rules, train and monitor employee behavior, store records, submit reports, and manage certifications, registrations, and attestations, RegTech will continue to deliver a high return on investment to firms and their compliance teams by reducing risk, lowering compliance costs, and increasing efficiency.

How We Help

ACA helps firms meet their regulatory obligations effectively and efficiently through a combination of RegTech solutions and advisory services. To learn more about how ACA Technology can help or to request a demo, contact us here.

Request a Demo

About the Author

Burt Esrig is a Managing Director at ACA, leading efforts to create regulatory technology (“RegTech”) products for use by a wide array of financial institutions. He has created and managed financial and technology businesses for over 25 years at major global banks and investment firms as well as at a start-up FinTech digital platform company.

Burt earned his Bachelor of Science degree in Computer Science from the State University of New York at Stony Brook. He has also completed non-degree coursework in accounting, marketing, and finance at New York University.