"Embracing technology and innovation in Compliance and Risk Management - A Perspective from MAS" - Speech by Mr Damien Pang, Executive Director (Data & Technology Architecture) and Deputy Chief FinTech Officer, Monetary Authority of Singapore, at RegTech Summit APAC on 4 November 2021
“Where is the knowledge we have lost in information?”
T. S. Elliot’s words from 1934 continue to ring true, in the current age of innovation and big data.
We are collecting much more data – the foundation of any decision making, because of improving technologies, changing business needs, to satisfy regulatory requirements and to enhance risk management capabilities in our institutions.
We have spent over a decade plugging the fault lines that resulted in the worst financial crisis. The financial system today is safer, simpler and fairer.
- But are we truly becoming more knowledgeable to new and emerging risks?
We have made great leaps in the policy and risk fronts. But we have not paid as much attention to the plumbing in this information age – the infrastructure and enablers that allow us to function efficiently and identify new fault lines that we may need to plug.
- Many firms still have in place proprietary IT systems that are more than a decade old.
- These systems do not communicate with other systems. Neither are they designed for the age of big data, AI and cloud computing.
- The limitations of these systems are now apparent and hindering progress in adopting innovative solutions in all domains.
- The pandemic has also brought existing and new shortcomings to the forefront.
Let me pivot to two specific domains – risk management and regulatory compliance.
- Regulatory Technology, or RegTech for short, has entered into the financial industry’s lexicon in recent years.
- RegTech is generally defined as the use of technology to enhance risk management, compliance and regulatory reporting by financial institutions.
- MAS is a strong advocate when it comes to the use of technology in financial firms.
In April this year (2021), we launched the RegTech grant, a S$12 million grant to support financial institutions to develop capabilities towards risk management or regulatory compliance.
- The reasons were obvious and remain so – Depending solely on manual processes, siloed teams and outdated systems would be detriment to the institution in the medium to long term.
- In the first six months of the grant, we have allocated close to 10% of the amount to relevant RegTech projects.
Administering the grant has given us significant insights into the use of RegTech in the industry and we continue to learn.
- Based on these insights, allow me to share four perspectives on how we can embrace technology and innovation in compliance and risk management, targeted at RegTech firms but with equally important lessons for institutions.
The first perspective - Embrace Limitations.
- During the development and testing phase of a product, many assumptions are often made. There is nothing inherently wrong with these assumptions. The problem arises when these assumptions get hardwired into the DNA of the product.
- This means that the product is unable to function should these assumptions not manifest in real life. And the likelihood of this happening is much higher than either reported or spoken about.
Take the foundation of any tool – Data.
- Often, much assumptions are made about data availability, data structures, data stores, etc.
- The reality is that financial institutions are only starting to develop and implement their data strategies. This comes with real implications because much time will be spent dealing with legacy systems, API-less datasets, old data file structures. Many tools either fail or only achieve limited success at best in these environments if they cannot adapt to these limitations.
- The key lesson here – Don’t relegate limitations to an afterthought; Consider these limitations early in the product lifecycle.
And this segue to my second perspective – The absolute need to support customisation.
- In the regulatory sphere, there must be an absolute expectation that the laws, rules and guidance from regulators are customised to each jurisdiction’s requirements.
- So while the foundation may be Basel Principles, CPMI/ISOCO Standards, FSB guidance, IMF requirements or FATF rules, as product developers, you will quickly learn that each jurisdiction charts its own path, building on these baselines and deviating significantly when it must.
- And this is where most RegTech products suffer significantly. The development sprints of the tool are often designed to operate in a one-size-fits-all environment, hardly a replication of the real, complex world.
I cannot stress this point enough, given the feedback we hear from the industry. Products languish in Pilots or products are unfairly criticised or in extreme cases, products are given cursory consideration and dismissed almost immediately because they lack the ability to fit the market for which they are supposed to be deployed in.
Reining In Complexities
And this brings me to the third perspective – Complexity is your biggest enemy.
Let me preface this perspective with an example.
- There was a tool that I had come across that pride itself in the level of sophistication that I have not seen, such that it did not seem to be grounded in rules nor known AI algorithms.
- Instead, all that was needed was for large amount of data to be fed into the product for it to ‘self-learn’ the heuristics of the dataset.
- When the training was completed, it was able to proceed to detect anomalous data points.
- It was a fascinating demonstration of the technological capabilities and reflected an absolute mastery of complex mathematical techniques.
- However, this tool did not do too well, when tested for various regtech use cases, including transaction monitoring, and credit scoring.
Simply put – It was too complex for it to inspire confidence.
- A Money Laundering Review Officer (“MLRO”) is unable to ascertain the reasons why the tool has flagged a transaction if no other information is present.
- Similarly, a staff will likely remain unconvinced that a recipient is a poor candidate for a loan without any additional information beyond a simple red flag.
This example is just one of the many that we have heard about – tools that are presented with such complex features that firms are reluctant to consider them for everyday use.
We must remember that regulation today is significantly rules-based. Hence a tool that can efficiently synthesize the rules and establish the requisite outcomes will likely be held in higher regard that a one that spit out red flags with nothing more.
- This is not to say that products should not bear features of machine learning or artificial intelligence. However, if this is the sole characteristic that defines your product, it will likely not generate the buzz that you had envisaged to replace existing methods.
In short, make sure your product is a solution to today’s working style as well as the challenges of tomorrow. And most importantly keep it simple.
Finally, on the final perspective– Don’t leave out the experts.
Let me elaborate using a parallel example.
- In a recent article in the MIT Technology Review, the headline reads “Pandemic tech left out public health experts. Here’s why that needs to change”.
- The article speaks about how various sophisticated technological tools were developed to alert individuals about potential exposure etc. However, much of this development work was devoid of inputs from the very individuals whose inputs are sorely needed – healthcare professionals.
- Consequently, these tools were riddled with complaints and struggled with poor interest.
Shifting gears back to RegTech, the same advice remains sage, but sometimes forgotten.
- We focus so much on the marvels of technology and its potential, forgetting that it is but a means to achieve something much more foundational, in this case, regulatory compliance.
- To succeed in the RegTech space, you need deep domain expertise. The individuals using your product are not going to be technologists. Instead, they are going to possess deep domain knowledge and will evaluate your product on those terms.
In closing, I hope my sharing of these four perspectives can spur solution providers and financial institutions to better work together and support the adoption of useful technologies and innovation.
The future of compliance and risk management is data-driven.
- In fact, this future is already here, just not even.
- TS Eliot has been prescient of the information age.
- But the industry’s ability to fully harness the immense data lies in its ability to embrace technology and innovation to transform these data into knowledge and ultimately wisdom.
- Of equal interest are the RegTech solution providers playing its part in helping the financial institutions to be able to embrace technology and innovation.
I look forward to the close cooperation between financial institutions and solution providers with better understanding of pain-points and needs, and wish everyone a fruitful conference ahead.