FinTech, RegTech and SupTech: What They Mean for Financial Supervision
Sunday, Jul 30, 2017

FinTech, RegTech and SupTech: What They Mean for Financial Supervision


The global financial crisis that began in 2007 has triggered a comprehensive reform of the financial regulatory architecture, as well as a profound rethinking of the effectiveness of financial supervision. Potentially as a consequence (and partly an additional cause) of the post-crisis reforms, a major transformation of the financial services industry is underway. A flurry of new business models, products and services based on technological innovations is seen across the globe, commonly referred to as “FinTech”. There is enormous potential for greater competition, consumer choice and convenience, interoperability, operational efficiency through cost savings, and improved risk management.

The rise of FinTech raises questions to financial authorities, such as whether to expand the regulatory and supervisory perimeter; whether new types of digital financial services fit existing regulations; how to identify, monitor and mitigate the risks of FinTech innovations and FinTech firms. There are also questions as to whether FinTech could lead to disintermediation and affect financial stability or change how central banks operate.[2] Finally, FinTech makes extensive use of a wide range of digital data managed through computer networks often connected to the Internet, so the question arises as to whether cybersecurity and data protection risks are well understood, managed and mitigated.

Financial authorities are looking into how to keep their financial systems stable while harnessing the benefits of FinTech, and existing supervisory policies, procedures and resources may no longer be adequate to address a fast changing landscape. In fact, several supervisory agencies are piloting or implementing new approaches based on technological solutions[3] developed by two subsets of FinTech, which are discussed in more length in this Note: RegTech and SupTech. These new approaches may well have a deep impact on financial supervision.

Objectives of this Note

This Note intends to provide introductory material for financial authorities to better understand:

  • The context in which FinTech, RegTech and SupTech have been developing;
  • The potential consequences of FinTech for financial supervision;
  • What RegTech means and how it could help financial supervision;
  • What SupTech means and how it could help improve supervision;
  • The emerging shift in supervisory approaches, driven by RegTech and SupTech; and
  • Initiatives to foster FinTech, RegTech and SupTech.

The Post-Crisis Context

The global financial crisis revealed important gaps and deficiencies in financial regulation and supervision. As a result, a comprehensive and ongoing revamping of the global financial regulatory architecture is being overseen by the Financial Stability Board (FSB) and involves standard setting bodies such as the Basel Committee for Banking Supervision (BCBS).[4]

In addition to responding to pressure to increase regulatory and supervisory effectiveness, many financial authorities have also expanded their mandates to include responsibilities that some once considered conflicting with the stability mandate, such as consumer protection, competition and financial inclusion. These add to the challenge of allocating limited resources in a balanced manner. In part as a consequence, authorities are ramping up their data collection efforts and rethinking their overall approach to supervision.

One of the weaknesses exposed by the crisis was poor risk data gathering and reporting within banks, which culminated with the BCBS issuing its Principles for Effective Risk Data Aggregation and Risk Reporting in 2013. This was a key development, as the principles impose minimum standards for data gathering and management, as well as for IT infrastructure, which could require additional investment in technology and organizational restructuring. The increasingly complex global regulatory framework, the growing regulatory reporting requirements, and the risk of expensive penalties as a result of the stricter post-crisis standards, have all contributed to soaring regulatory compliance costs at financial institutions, particularly for internationally active banks facing vast and sometimes conflicting regulations.

The FinTech Revolution

Financial Technology, or FinTech, has emerged mostly as profit-driven initiatives to explore business opportunities such as untapped markets or markets that became less attractive or too costly for established financial institutions, particularly in the post-crisis context (e.g., remittances to certain regions or countries). In turn, this competitive force has been driving incumbents to innovate as well. FinTech can also be seen as an ingredient of the decades-long digitization of services offered by established institutions,[5] and as a response to high compliance costs at established institutions and the need to solve long standing weaknesses, such as poor risk data management.

The FSB (2017) defines FinTech as “technology-enabled innovation in financial services”, including in this definition a mix of products/services (e.g., digital retail payments, digital wallets, FinTech credit, robo-advisors, and digital currencies) and their underlying technologies. In order to fully understand FinTech and permit an assessment of its risks and opportunities, it is useful to differentiate between the businesses, the products and services, and the technology. Box 1 briefly explains some of the most relevant technologies used in FinTech.

Box 1: Key technologies in FinTech[6]

  • Application Program Interface (API) – APIs are definitions, protocols and tools that specify how different software should interact. They allow the development of computer programs such as personal finance management applications that access a person’s bank (or other) account information to provide a range of facilities (e.g. financial management tools).
  • Artificial intelligence (AI) - artificial intelligence is the science of making computer programs perform tasks such as problem-solving, speech recognition, visual perception, decision-making and language translation. AI has numerous applications and is increasingly used in the financial sector (e.g., robo-advice, transaction authentication). Increases in data processing and storage power, as well as advances in some of its sub-sets, most notably machine learning, have boosted AI in the recent years.
  • Machine learning – machine learning can be considered a sub-field of AI that focuses on giving computers the ability to learn without being specifically programmed for such through hand-inputted codes. It is focused on parsing out and learning from large amounts of data, in order to make a determination or prediction. Machine learning uses a variety of techniques, including neural networks and deep learning. In the past, AI tried to mimic human behavior through rules-based methods, i.e., logic-based algorithms. Today, machine learning is data-based, that is, computers analyze a large volume and variety of data to recognize patterns, which do not need to be intuitive or rational, or translated into programming codes. This type of machine learning is already having impact on financial services and financial supervision.
  • Internet of Things (IoT) – IoT is not a technology per se, but a concept. It uses several technologies with the purpose of connecting everyday life devices (e.g., refrigerators, house alarms, mobile phones, cars) to the Internet in order to provide value to the customer, including facilitating financial transactions such as purchases and bill payments, or providing security services, among many other applications.
  • Big Data analytics – Big Data is a loose term to refer to large volumes of unstructured (e.g., emails, Internet traffic) and structured (e.g., databases) data whose analysis is not possible using traditional analytical tools. It includes data collected through networks such as the Internet or corporate intranets, and other data that organizations generate and store in the normal course of their businesses. Big Data analytics focuses on, for instance, discovering patterns, correlations, and trends in the data, or customer preferences. It can be based on machine learning or other technologies.
  • Distributed ledger technology (DLT) – A distributed ledger system is a database shared between multiple parties (nodes) to execute mutually agreed-upon transactions based on some consensus mechanism. The key feature is that all nodes have identical versions of the data, dispensing with a central trusted party (e.g., a clearinghouse). These characteristics make cyber attacks and data alteration difficult. Often, the terms “blockchain” and DLT are used interchangeably, but blockchain is a type of DLT, which was popularized by Bitcoin starting in 2009. In the Bitcoin, the ledger of transactions is as a series of blocks of data linked together through cryptography (the blockchain) based on the work of “miners” (nodes who continuously solve cryptographic puzzles to validate transactions that will comprise the blockchain). There are many potential applications for DLT, such as cryptocurrencies, central bank fiat currencies, public registries (e.g., property, birth and identity registries), and smart contracts. DLT could have profound impacts in the financial sector by creating efficiency gains (e.g., streamlining back-office for trade finance and other areas), changing financial and non-financial infrastructures, changing roles of central counterparties, etc.
  • Smart contracts – a smart contract is a digital contract that can self-execute automatically when conditions are met. Using DLT to create and execute contracts has potential benefits such as immense process and cost efficiencies, and interoperability. Examples of DLT used as smart contracts platforms are Ethereum and Corda (by R3, a consortium of international banks developing DLT to financial services).
  • Cloud computing – cloud computing is the use of remote and shared servers hosted on the Internet to store, manage and process data, rather than servers and computers owned and locally maintained by each user of the cloud (e.g., a bank). It has significantly increased the capacity of financial institutions and other organizations to generate, store, manage and use data with lower costs and higher flexibility.
  • Cryptography – cryptography is the science of protecting information by transforming it into a secure format (i.e., by encrypting it). While it has traditionally focused on the exchange of cryptographic algorithms developments in quantum computing are driving the transformation of cryptography methods (current algorithms rely on mathematical problems that could be relatively easily solved by powerful quantum computer, so cryptography will need to evolve to techniques that continue to hold when quantum computers become mainstream).
  • Biometrics – biometric technology relates to the digital capture and storage of unique characteristics of individuals, such as customers (e.g., fingerprint, iris, voice, face) primarily with the purpose of increasing the security (and convenience) of financial transactions.

FinTech innovation can be developed and used by both new firms coming from outside the traditional regulatory and supervisory perimeter (hereafter “FinTech firms”) and established financial institutions, including banks, insurance companies and others. FinTech firms can be small start-ups or even tech giants such as Apple, Google and Tencent (China).

Numerous innovations in financial products and services are observed across the globe, some of which are summarized in Box 2.

Box 2: Examples of financial products and services using FinTech

  • Digital payments and e-money – FinTech innovations are increasingly explored for wholesale payments, but most of the action is in the retail payments. Particularly in developing countries, where cash accounts for the bulk of retail payments and where payment (debit and credit) cards are not widely used, FinTech firms offer options for peer-to-peer transfers, bill payments, and electronic purchases. In many cases these services are attached to an e-money product, i.e., a digital wallet where customers can hold monetary value for an undetermined period of time. A pioneer was Kenya’s M-PESA, offered by Safaricom, a mobile network operator, but there are numerous other examples. These products may also be tied to savings accounts or insurance products.
  • International remittances – there is a wealth of FinTech innovation focused on large international remittances corridors. FinTech has been simplifying procedures and cutting the costs of transfers, including to serve the undocumented diaspora in a variety of countries. The services may be based on e-money products, traditional bank accounts, cryptocurrencies (see below), or combinations of these.
  • Personal and business loans – FinTech credit is a burgeoning market and can take many forms and target various customer segments, including low-income borrowers and micro, small and medium enterprises. Most often, FinTech credit utilizes novel credit scoring methods based on alternative data collected outside of the financial sector (e.g., Big Data, bill payments history, mobile phone usage). Many products are based on automated credit decisions, whereby a customer applies for and has her loan disbursed in only a few minutes, simply by pushing some buttons on her mobile phone.
  • Peer-to-peer (P2P) lending platforms – within FinTech credit, an important development is peer-to-peer lending platforms, which are mostly Internet-based services provided by a FinTech firm where lenders and borrowers “meet”. Platforms vary widely in format and operating rules.[7]
  • Crowdfunding platforms – Crowdfunding platforms are mostly Internet-based services provided by FinTech firms to facilitate funding/investment opportunities, including equity investment and donations. Like P2P lending platforms, these vary widely in shape and operating rules.[8]
  • Robo-advisors – robo-advisors (also called “automated” or “digital investment” advisors) are online platforms that provide services such as financial advice and, most often, portfolio management, with minimum or no human intervention.
  • Cryptocurrencies – Bitcoin was the first widely used cryptocurrency, but many others have been created since 2009, when Bitcoin was launched. Cryptocurrencies are not issued by government authorities and are not usually recognized as and do not represent fiat currency. Like Bitcoin, other cryptocurrencies are based on DLT. Individuals and companies can acquire and sell cryptocurrencies by being parties in the distributed ledgers, or by using specialized cryptocurrency online exchanges.

FinTech can impact financial sectors in four major ways:

  1. by increasing competition, expanding consumer options, democratizing access to financial services – particularly in developing countries – and driving further innovation as a consequence. Innovations create new product/service features and new commercialization strategies and channels;
  2.  by increasing efficiency due to innovation in:
    • relevant infrastructures such as payment systems infrastructure, credit information systems, and public registries (e.g., collateral registries, land registries, and ID systems). One example is know-your-customer (KYC) utilities, i.e., facilities that can be used by multiple financial service providers, and which streamline the collection and exchange of client identification data;[9]
    • back-office and frontline procedures at traditional financial institutions, as well as in their decision-making process. This includes improvements in risk management and regulatory compliance (see discussion on RegTech below). More often, the adoption of innovation by established institutions relies on partnerships with FinTech firms, which assume specialized roles, such as providing credit scoring, insurance pricing tools, KYC utilities, prepaid account management, and communications automation.[10] For instance, although large banks own a vast quantity of customer and transactional data, often their legacy systems and data analytics capacity are not adequate to extract business intelligence in a timely and cost-effective manner. Hence, they turn to FinTech firms for advanced data analytics, including Big Data analytics.
  3. by creating new investment opportunities for established institutions. Banks and insurers are increasingly investing in and buying out FinTech firms, as part of their broader investment portfolio, and some are also sponsoring FinTech incubators to generate investment opportunities.
  4. by improving financial supervision (see discussion on SupTech below).

What Does the New Landscape Mean for Supervisors?

The opportunities and the risks introduced by FinTech relate to i) the innovative use of data; ii) the underlying technologies (see Box 1); iii) new players (e.g., FinTech firms) and business models; and iv) new products and services. FinTech uses large amounts and new types of digital data (e.g., Big Data), which was made possible by the development of advanced data analytics and processing capacity. This new data-intensive era is characterized by the “3 V’s”: high velocity, large variety, and big volumes of data, raising concerns for data protection and privacy, bank secrecy, cybersecurity, and data management. For instance, how to enforce customer consent requirements when any type of data can be used, even if its original collection had nothing to do with financial services (e.g., “likes” on Facebook, Google maps locations), or when financial transactions are seamless and automatized in the IoT? Are regulations on cross-border data flows adequate for the IoT and cloud computing? What constitutes “personal” data in this context, and who should own it: customers or the entities collecting the data?[11]

Most technologies used in FinTech are not new (e.g., cryptography, cloud computing, AI), but recent advances in these technologies (e.g., new approaches to machine learning) and the infrastructures they use (e.g., Internet and wireless services) allow more extensive and innovative use to permit new types of financial products and business models. One new technology in particular, DLT, is drawing increased attention by financial authorities. DLT’s strengths are its transparency and security related to its decentralization and the blockchain, but these same characteristics create regulatory complexities. How do privacy and liability work in a decentralized system? What about the “right to be forgotten” and how to reverse transactions when data is stored in an immutable blockchain? What jurisdiction’s regulations apply when distributed ledgers can be borderless? Should supervisors be participants in distributed ledgers? Which supervisor(s)? Should there be supra-national supervisors for DLT? [12]

FinTech firms play a variety of roles which could benefit customers and financial sectors, but a plethora of issues arise, such as whether these players (and which ones among them) should be regulated and supervised, whether they fit the exiting regulatory framework, introduce risks to national payment systems, accelerate financial disintermediation, pose risks to partner financial institutions, or introduce poor business practices. Questions also arise with new products and services, including whether deposit insurance should apply to e-money issued by FinTech firms, whether and how to regulate cryptocurrencies and FinTech credit, whether to regulate the algorithms used in robo-advisory and other services based on automated decision-making to ensure consumer and investor protection, etc.

It is a complex and fast changing environment. Even if there were no FinTech revolution underway, the post-crisis pressure for greater supervisory effectiveness and the expanding statutory mandates of financial authorities are already overwhelming developments. How to deal with this challenging context? Are the current approaches to regulation and supervision still adequate? How to spur healthy innovation while achieving supervisory effectiveness? At least part of the answer to these questions is FinTech itself.

RegTech, SupTech and What They can do for Supervisors

An Overview

In much the same way technology is changing the financial industry, it is also changing how the industry and financial authorities implement and enforce regulations. Regulatory Technology (RegTech), defined as a sub-set of FinTech, has been growing strongly in the last couple of years and has attracted numerous start-ups as well as giants like IBM and global consultancy firms.[13] As in other areas of FinTech, there is not yet an agreed upon definition of RegTech and its typology. The Institute of International Finance (IIF) defines RegTech as “the use of technologies to solve regulatory and compliance requirements more effectively and efficiently”.[14] Similar definitions can be found, but all seem relatively limited in the face of the promise that RegTech holds to overhaul not only regulatory compliance and risk management by regulated financial institutions, but also the nature of regulation and supervision.

RegTech focuses on technology-based solutions to attenuate or solve regulatory and supervisory challenges, including the challenges posed by the expansion of FinTech. It leverages digital data and computer networks to substitute old-style processes, organizational and IT structures, analytical tools and improve the decision-making process. The technologies used in RegTech are the same ones used in broader FinTech (summarized in Box 1). As in other areas of FinTech, a key element is the 3 V’s of data, including new types and sources of greater volumes of data that may have not been “usable” up to now (e.g., e-mails, PDF files, voice recordings, Internet traffic, social media, etc.). A combination of technologies and innovative processes are deployed to modernize data gathering and data analytics, with the purpose to generate more refined and/or timely intelligence to feed the regulatory compliance and risk management functions at financial institutions, or to benefit the regulatory and supervisory processes at financial and supervisory authorities.

RegTech can be divided into two sub-segments: RegTech for financial institutions and RegTech for supervisors and regulators, or SupTech.[15]

RegTech for Financial Institutions

Significant business opportunities for RegTech arise from the trade-off between the need to stay compliant with ever-changing regulations and the need to cut costs to remain profitable. Accordingly, most of RegTech today centers around solutions for regulated financial institutions, helping them comply more efficiently and with greater certainty with regulations and improve risk management, while cutting costs. While the market is still developing, the following areas of RegTech can be identified:[16]

  1. Compliance

This represents a good part of RegTech today. Examples include enterprise-wide solutions for identifying and keeping track of changes in regulatory requirements, at local or global levels, and solutions for automated real-time monitoring of compliance levels and compliance risk, based on the analysis of operational and other data (e.g., employee monitoring, historical email analysis, human behavior analysis, trade communication analysis). This form of automated compliance may be called “dynamic compliance”, i.e., regulatory requirements are embedded into IT protocols to ensure continuous compliance and confirm whether the data reported to supervisors is accurate and relevant. This type of RegTEch can dramatically reduce the costs of manual compliance procedures. A wave of start-ups and a few tech giants operate in this arena to help institutions keep up-to-date with regulatory requirements, identify potential financial crimes, and manage financial risk. Numerous other topic-specific solutions can be found, e.g., for cybersecurity, shareholder disclosure, automated audits, etc.

  1. Identity Management and Control

Another important area in RegTech focuses on counterpart due diligence and KYC procedures, anti-money laundering (AML) controls and fraud detection. For instance, digitalization of client or partner onboarding processes, digitization and sharing of customer/partner information, gathering and analyzing customer and transaction data, and identifying suspicious transactions based on automated triggers and constantly updated customer/partner profiles. KYC utilities based on DLT or other technology are also included in this area of RegTech.

  1. Risk Management

This area focuses on tools to improve the risk management process at financial institutions, by bringing efficiencies to the generation of risk data, risk data aggregation, internal risk reporting, automatically identifying and monitoring risks according to internal methodologies or regulatory definitions, and creating alerts and automated actions triggered when pre-determined risk levels are reached. These solutions may rely on advanced data analytics supported by machine learning or other AI applications.

  1. Regulatory Reporting

This is a crucial area for supervisory agencies and a central element in regulatory compliance. RegTech solutions help automate and integrate regulatory reporting requirements to cut costs, and streamline and increase the accuracy and timeliness of reporting, including making real-time reporting possible.[17]

  1. Transaction Monitoring

This area focuses on conduct-of-business requirements, and solutions offer real-time transaction monitoring and auditing, such as by using DLT, end-to-end integrity validation, anti-fraud and market abuse identification systems, back-office automation (post-transaction settlement, closing procedures), and risk alerts.

  1. Trading in Financial Markets

This area relates to the automation of the numerous procedures related to transacting in financial markets, such as calculating margins, choosing central counterparties and trading venues, assessing exposures, complying with good conduct-of-business principles, etc.

A useful consideration is whether RegTech solutions are developed and implemented separately by individual financial institutions in bilateral partnerships with FinTech firms, or whether financial institutions cooperate to jointly build or use a third-party solution to achieve efficiency gains – the “shared utility model”. Examples of the shared utility model include regulatory reporting utilities and KYC utilities.

SupTech (or RegTech for supervisors)

RegTech does not stop at regulated institutions: SupTech is starting to tackle challenges faced by supervisory agencies. As in RegTech, solutions are automating and streamlining administrative and operational procedures, digitizing data and working tools, and improving data analytics. Some financial authorities are also exploring opportunities to automate the regulatory process (see 0 below). Increasingly, innovations bet on an emerging revamping of financial supervision itself, a shift away from current approaches based on past data, lengthy onsite inspections and often delayed supervisory action, towards a pro-active, forward-looking supervision that relies on better data collection and sophisticated data analytics, and greater storage and mobility capacity such as by using cloud computing. Many supervisory agencies are specifically looking into how DLT could be used to help advance their objectives.

Transforming Supervisory Data

A critical step in transforming financial supervision is improving one of its most important inputs: data. SupTech can help in, for instance, reducing time-to-report, collecting much more granular financial and transactional data without facing undue costs, expanding data utilized beyond institution-reported data, and reducing or eliminating manual processes in the aggregation and collection of data.

Currently, the prevalent approach to data collection by supervisory agencies (and other financial authorities) is periodically (daily, monthly, quarterly, annually) collecting aggregate business data (the bulk of which is financial data) in the shape of standard report templates. In some cases the data may be organized and reported in Excel spreadsheets or even in hard copy. Each department at financial authorities may have their own report templates using different formats or formulas, even though much of the underlying data may well be the same. The current focus is on “documents”, i.e., report templates, rather than on the primary data that constructs the desired reports. The downsides of the prevalent “template-based” approach are:[18]

  1. Limited flexibility for the supervisor to manipulate data and create customized indicators to support differentiated analyses;
  2. The data aggregation process at financial institutions, especially large institutions with multiple systems from which data is pulled, can be costly and often involve manual procedures;
  3. High costs of reporting granular or more data when using templates, due to the system adaptations that are necessary to be implemented by reporting institutions;
  4. Potential inconsistency of indicators across different templates, due to errors in calculations and coding, or misinterpretation of data points;
  5. Missing data points (blank data fields);
  6. Data validation at the aggregate level, which leaves room for errors and misreporting;
  7. Large number of templates, often overlapping with each other, increasing compliance costs.

There is an emerging shift toward requiring more granular and frequent data to support more effective, intrusive and intensive financial supervision. Many post-crisis regulations require financial institutions to report a large set of data on individual operations, such as security-by-security, and loan-by-loan reporting. Technology is needed for this shift because trying to increase data scope, frequency and granularity using the template-based approach would be too costly and could reduce data quality and increase the burden on supervisory agencies and institutions alike.

Collecting granular data that is not constrained by pre-formatted templates gives more flexibility to supervisors to build customized indicators and ensure the calculation is correct and harmonized across reporting institutions, to create any desired report in any format at any time, and to conduct a much wider range of analysis. Granular data could give richer and more timely supervisory insights, particularly if advanced data analytical tools are used. Also, if adequate institutional arrangements are in place, granular data reported only once could meet the needs of different departments at supervisory agencies, or different financial authorities in a country that need similar data.

SupTech offers a path for shifting away from templates and manual procedures. For instance, it could support:[19]

  1. Data-input approach – reporting institutions automatically package business data in a standard and highly granular format according to specifications (e.g., taxonomy) by the supervisory agency and send it to a central database. No aggregation is done prior to reporting, which reduces the compliance costs compared to the template-based approach, and helps avoid errors or losses during aggregation.
    See Box 3.

Box 3: OeNB's data-input approach to regulatory reporting

The Austrian central bank, OeNB, has revamped its data collection mechanism to shift away from templates and to produce higher quality and more timely granular bank data, with a higher level of integration between OeNB and banks’ operational systems. The new system has been debated within Europe and may end up encouraging other European authorities to make similar shifts. See Piechocki & Dabringhausen (2015)

  1. Data-pull approach – raw (non-standardized) business data is sourced directly from the institutions’ operational systems by automated processes triggered and controlled by the supervisory agency, and only later standardized by the agency itself, using Suptech solutions.
  2. Real-time access – the supervisor pulls or “sees” operational data at will (rather than at pre-determined reporting periods) by directly accessing the institutions’ operational systems, which could include monitoring transactions in real time basis.[20]
  3. Reporting utilities – SupTech can create reporting utilities, i.e., centralized structures that function not only as a common database of reported granular data but also as a repository of the interpretation of reporting rules, in a format that is readable by computers (this may be called a “semantic reporting utility”). Reporting utilities could reduce the costs and inefficiencies of the current reporting environment, in which each reporting institution designs and implements its own processes and interpretations of the reporting rules, often relying on external legal advice for complex regulations. Together with machine-readable regulations (i.e., regulations issued as programming codes that can be assimilated immediately by institutions’ operational systems, without the need for a human to interpret them), reporting utilities could “industrialize” (i.e., fully automate) the reporting value chain.[21]
  4. Gathering intelligence from unstructured data – in addition to transforming regulatory reporting, SupTech is also creating opportunities for supervisory agencies to collect and analyze unstructured data (i.e., data that is not organized in databases) with greater efficiency, which could relieve supervisors from time-consuming tasks such as reading numerous PDF files, searching the Internet, etc. Relevant data could include, for instance, Big Data, corporate websites, marketing materials, consumer agreements, social media, and information created internally at the supervisory agency but kept in unstructured formats (e.g., inspection reports, emails, official communications, meeting minutes, licensing applications, etc.).
  5. Regulatory submissions and data quality management – although many supervisory agencies, in particular in developed economies, have fully automated procedures to manage submissions by reporting institutions and manage the quality of the reported data, including running validation tests, new SupTech products and services are being offered specifically for submission and data quality management, which could benefit supervisors in jurisdictions where these tasks involve manual procedures.

A New Era of Financial Supervision and Regulation Fueled by SupTech

New data collection mechanisms are a building block in an emerging paradigm shift in financial supervision. Technology creates opportunities for the development of sophisticated and data-intensive approaches to supervision. SupTech firms offer an increasing range of products and services, from standardizing, digitizing and automating basic supervisory procedures and working tools such as inspection reports, to solutions that could radically change financial supervision by expanding supervisory scope, transforming procedures and techniques, and increasing timeliness of supervisory assessments. A few examples of SupTech applications are highlighted below (though most are still in concept or, at the most, pilot phase):

  • Real-time supervision, by looking at data as it is created in the regulated institutions’ operational systems;
  • Exceptions-based supervision, in which automated checks on institutions’ data and other information automatically collected and analyzed by the supervisory agency identify “exceptions” or “outliers” to pre-determined parameters for expected behavior, triggering supervisory action;
  • Automated implementation of supervisory measures, such as sending a (automatically created) direction for capital increases based on automated data analysis, and decision-making;
  • Algorithmic regulation and supervision in areas such as high-frequency trading, algorithm-based credit scoring, robo-advisors or any service or product that automates decision-making;
  • Dynamic, predictive supervision by using machine learning, which could move supervisors to take supervisory actions in a preemptive manner based on predictive behavioral analysis.

Some of the above examples could mean a radical departure from current supervisory approaches and raise a range of opportunities and questions for financial authorities across the globe. The intensive use of digital data and the automation of supervisory procedures could result in important efficiency and effectiveness gains that many authorities seek. But it could bring new problems and uncertainties, for instance, by making the impact of potential cyberattacks or operational failures much more serious than when using manual and paper-based procedures. Risk management at supervisory agencies would need to improve accordingly. Also, how much automation is too much? To what extent can machines substitute human judgment in supervision? Are supervisory agencies capable of critiquing and controlling the quality of the predictions and intelligence generated by new technologies such as machine learning and Big Data analytics? Finally, how will technology change (or not) exiting risk-based supervisory frameworks?

In addition to supporting new supervisory approaches, SupTech promises to transform the regulatory process as well. For instance, there are at least a few authorities exploring how to develop machine-readable regulations. Once in the institutions’ systems, the regulation (which is in the form of codes) could interact with RegTech compliance solutions to impact the business, for example, by sending alerts to managers about the need to change capital allocation, interest rates, reporting, etc., or other more complex applications. Machine-readable regulations could be incorporated into reporting utilities to fully automate the reporting process, eliminating the need for institutions to seek legal advice to interpret the regulations and spend programming time to change reporting protocols in IT systems. Machine-readable regulations could also help institutions and supervisory agencies more rapidly and accurately estimate the impact of regulatory changes, streamline industry consultations when considering regulatory reforms, and reduce regulatory complexity over time.

Lastly, although still a frontier area, supervisory agencies will need to consider how to position themselves when DLT becomes mainstream in financial services. Similar to the concept of having real-time access to the business data generated and stored in the operational systems of regulated institutions, supervisors could, for instance, become participants in distributed ledgers, which would allow them not only to have real time access to transaction information, but also have a say in the rules of the ledger and on whether each transaction should (or not) be completed.

Encouraging FinTech, RegTech, and SupTech

Many authorities have demonstrated keenness to encourage innovation in FinTech, as well as RegTech and SupTech, that could address current challenges for supervisory agencies and financial institutions alike. There are several initiatives taking root in an increasing number of countries, and most seek to build a collaborative environment from which both the supervisory agency and financial institutions (including FinTech firms of all sorts) can benefit. The most commonly cited initiative is the regulatory “sandbox,” which is a controlled environment created by the financial authority for regulated or unregulated, start-up or incumbent, institutions to test innovations for a certain period and according to certain rules. There are many possible ways to structure a sandbox and the practice varies across countries. It could, for instance, give temporary exemption from regulatory or licensing requirements, or confirm that a particular innovation will not be subject to specific regulations. In all cases, the results of the sandbox are intended to be used as an input for the regulatory and supervisory agencies.[22]

Other initiatives are FinTech offices (which can also be called Hubs, Labs, or other terms) and FinTech events. FinTech offices are specialized units within financial authorities, dedicated to FinTech issues,[23] which may function as a single point of contact to help FinTech firms navigate the regulatory and licensing framework, to study FinTech developments, to act as an internal resource center, and to disseminate information to the public. FinTech events can be organized by FinTech units and can include roundtables, seminars, conferences and hackathons (a challenge in which FinTech firms seek to solve a specific problem posed by the event organizer). The objective of such events can be to foster the development of solutions to specific challenges (e.g., regulatory reporting, KYC), although some authorities may have broader goals.

In addition to the above, regulators may also be pro-active and participate in or sponsor FinTech Accelerators and FinTech Incubators, which are more often initiated and sponsored by the private sector, including established financial institutions. There are numerous examples of, for instance, large banks in various regions of the globe encouraging FinTech development by providing a physical space for innovators, and organizing knowledge sharing events and competitions in which prizes or financing are given out to the winners.

Actively collaborating with FinTech, RegTech, SupTech firms could help financial authorities more easily identify impediments to innovation, such as regulatory hurdles or difficulties presented by current practices (e.g., lack of harmonized data standards and definitions) and IT systems (e.g., outdated reporting portals). For instance, given that most innovation is based on intensive use of digital data, an area that could pose obstacles is data management and data sharing regulations, which could prohibit the use of cloud computing, shared utilities and other innovations. IT regulations that are not technology neutral may also present challenges.[24] Collaboration and engagement help in the identification of such challenges and consultations about possible solutions.


The current regulatory, supervisory and market landscape for financial authorities is highly complex and fast changing. Regulations have been revamped in the aftermath of the financial crisis to deal with weaknesses in conduct and risk management, and to increase supervisory effectiveness. In parallel, and in part as a result, a wave of FinTech innovation is sweeping the globe, introducing risks related to new technology, business models and new products and services. But FinTech also has significant potential to contribute to objectives such as increasing the efficiency of financial sectors, and promoting competition and financial inclusion, so a balanced reaction from the authorities is needed. This new reality requires reviewing regulations and assessing whether current supervisory approaches remain adequate, or whether a shakeup is needed.

Recent and emerging developments in RegTech and SupTech offer opportunities for authorities to deal with the current landscape. RegTech could transform regulatory compliance and risk management at financial institutions, while SupTech could increase supervisory effectiveness and efficiency. Solutions that use advanced data analytics and technologies such as machine learning to rapidly process and produce intelligence out of a large volume and variety of digital data could lead to more timely (or real-time), dynamic and even predictive, supervision, allowing supervisors to extract knowledge from data that would be otherwise inaccessible. SupTech could also transform the way regulations are drafted, discussed and adopted, by creating machine-readable regulations. A new era in supervision and regulation will not be reliant on one or two technologies, but on the combination of many technologies. Financial authorities need to understand what’s being offered, and should seek to take full advantage of available solutions.

RegTech and SupTech could lead to major paradigm shifts, which could be relevant to authorities in both developed and developing economies. Arguably, developing and low-income countries, where legacy banking IT systems and supervisory procedures may have shallower roots, could adopt RegTech and SupTech to leapfrog to a new era more easily or faster than developed economies with more complex and well-established financial systems and supervision (where the shift may be more gradual). In any case, it is crucial to avoid adopting new technology without having a strategic and overarching long-term view of where financial supervision should head in each particular jurisdiction.

Paradigm shifts can only succeed with the right mindset and leadership at regulatory and supervisory authorities, since they require a profound cultural transformation. Authorities need first to recognize that they must change and be strategic in reviewing existing approaches, organizational structures, IT systems, and technical skills. They need to understand and monitor developments in FinTech and in particular in RegTech/SupTech in their jurisdictions (and beyond), which could be done in part through closer engagement with industry players, including currently unregulated FinTech firms. Building specialized knowledge through innovation offices or similar units may also be beneficial. As the Silicon Valley mantra goes, “the expected impact of technological change tends to be overestimated in the short run but underestimated in the long run”.[25] A proactive attitude towards innovation will ultimately help financial authorities navigate the sea of change to foster market development while curbing excessive risks.


Basel Committee on Banking Supervision. Principles for Effective Risk Data Aggregation and Risk Reporting. January 2013.

Cermeño, Javier Sebastián. Blockchain in Financial Services: Regulatory Landscape and Future Challenges for its Commercial Application. BBVA Research Working Paper 16/20. December 2016.

Dias, Denise and Staschen, Stefan. Data Collection for DFS Supervisors. CGAP Working Paper. 2017. (forthcoming)

Bank for International Settlements. Committee on Payments and Market Infrastructures. Distributed Ledger Technology in Payment, Clearing and Settlement: An Analytical Framework. February 2017.

Financial Stability Board. Financial Stability Implications from FinTech: Supervisory and Regulatory Issues that Merit Authorities’ Attention. June 2017.  (Referenced in the text as 2017a.)

Financial Stability Board. FinTech Credit: Market Structure, Business Models and Financial Stability Implications. May 2017.  (Referenced in the text as 2017b.)

Institute of International Finance. RegTech in Financial Services: Technology Solutions for Compliance and Reporting. March 2016.

Piechocki, M. and Dabringhausen, T. Reforming Regulatory Reporting: From Templates to Cubes. Bank for International Settlements, December 2015.

Additional Readings

Aaron, M., Rivadeneyra, F. and Sohal, S. FinTech: Is This Time Different? A Framework for Assessing Risks and Opportunities for Central Banks. Bank of Canada Staff Discussion Paper 2017-10. 2017.

“AI Watchdog Needed to Regulate Automated Decision-making.Guardian (London, U.K.). January 27, 2017.

Arner, D., Barberi, J. and Buckley, R. “Fintech, RegTech, and Reconceptualization of Financial Regulation. Northwestern Journal of International Law and Business. (October 2016).

Bank of England. Fintech Accelerator. Press Release. June 17, 2016.

Bank for International Settlement. Irving Fisher Committee on Central Bank Statistics. Central Bank’s Use of and Interest in ‘Big Data’. October 2015.

Bauguess, Scott W. “The Role of Big Data, Machine Learning, and AI in Assessing Risks: A Regulatory Perspective.” Keynote Address at OpRisk North America 2017, New York, NY, June 21, 2017. and

Caruana, Jaime. “Financial Inclusion and the FinTech Revolution: Implications for Supervision and Oversight.” Welcoming remarks at the Third GPFI-FSI Conference on Standard Setting Bodies and Innovative Financial Inclusion Services”, Basel, October 26, 2016.

Dwyer, John. “The Growth of RegTech: Automating Regulatory Compliance in the Investment Management Industry.” Journal of Applied IT in Investment Management (November 1, 2015).

European Commission. FinTech: A More Competitive and Innovative European Financial Sector. Consultation Document. 2017.

Institute of International Finance. RegTech: Exploring Solutions for Regulatory Challenge. October 2015.

Kamali, Wilson. Leveraging “SupTech” for Financial Inclusion in Rwanda. World Bank Group (blog). June 8, 2017.

Kirby, Eleanor and Worner, Shane. Crowdfunding: An Infant Industry Growing Fast. Staff Working Paper SWP3/2014. International Organization for Securities Commissions. 2014.

Kelly, S., Ferenzy, D. and McGrath, A. How Financial Institutions and Fintechs Are Partnering for Inclusion: Lessons from the Frontlines. Joint report from the Center for Financial Inclusion at Acción and the Institute of International Finance. July 2017.

Ludwig, Gene and van Kralingen, Bridget. RegTech in the Cognitive Era: Insights from Gene Ludwig and Bridget van Kralingen. IBM Institute for Business Value. 2017.

Matthan, Rahul. RegTech Will Change the Way We Regulate. LiveMint. Oct 26, 2016.

Mihaescu, Mircea. The New Age of Algorithms. BankNXT. April 22, 2015.

Nejman, M., Cejnar, O. and Slovik, P. Improving the Quality and Flexibility of Data Collection from Financial Institutions. Bank for International Settlements. 2014.

Newton, Paula. Are You Ready for Algorithmic Regulation? IntelligentHQ. October 30, 2015.

Piechocki, Maciej. Big Data in Central Banks: Data as a Critical Factor for Central Banks. BearingPoint. 2012.

Skinner, Chris. “The Semantic Regulator (#RegTech Rules).” The Finanser (blog). February 1, 2017.

Transatlantic Policy Working Group FinTech . The Future of RegTech for Regulators: Adopting a Holistic Approach to a Digital Era Regulator. June 2017.

Van Liebergen, Bart. “Machine Learning: A Revolution in Risk Management and Compliance.The Capco Institute Journal of Financial Transformation (April 2017).

Zetzsche, D., Buckley, R., Barberis, J. and Arner, D. Regulating a Revolution: From Regulatory Sandboxes to Smart Regulation. EBI Working Paper Series 2017-11. European Banking Institute, 2017.




[1] This note was prepared by Denise Dias on behalf of Toronto Centre.

[2] While noting that many innovations have not been tested through a full financial cycle, the Financial Stability Board (FSB) has concluded that for the time being there are no compelling financial stability risks from FinTech. See FSB (2017a). Taking a different view, staff from the Bank of Canada highlight that in the long run FinTech may affect areas of responsibility of central banks by changing money demand and the industrial organization of the financial system, which could affect monetary policy, currency demand, financial stability, and the need for a lender of last resort. They also predict that FinTech could affect employment and productivity (Aaron et al, 2017).

[3] The term “solutions” is used in this Note to mean software, computer applications and related products and services offered by RegTech and SupTech firms.

[4] Other relevant standard setting bodies include the International Association of Insurance Supervisors (IAIS), the International Organization of Securities Commissions (IOSCO), the Committee on Payments and Market Infrastructures (CPMI), the Financial Action Task Force (FATF), and the International Association of Deposit Insurers (IADI).

[5] Digitization of financial services has been relatively gradual in developed countries, while the speed of change in developing countries – where many people are leapfrogging from not having any access to financial services to using digital financial services – has been much faster.

[6] CPMI (2017), Wikipedia,,,,

[7] For further descriptions, see FSB (2017b).

[8] Note that IOSCO (2014) classifies P2P lending as a type of crowdfunding.

[9] For instance, the Monetary Authority of Singapore (MAS), in partnership with other domestic authorities, is rolling out MyInfo, a KYC utility for banks (

[10] This joining of forces is sometimes referred to as the “disaggregation” or “horizontalization” of the financial services value chain, in which banks and other financial institutions focus on their different core capabilities to exploit synergy gains in their relationships with FinTech firms.

[11] A related issue is “open banking”, now required in Europe under the Second Payment Services Directive, which requires banks to allow third parties such as FinTech firms to access the data of customers who authorize it.

[12] For further explanation of how DLT works, see CPMI (2017). For an overview of policy and regulatory implications of DLT, see Cermeño (2016).

[13] There are two recently created RegTech industry bodies: the RegTech Council ( and the International RegTech Association – IRTA (

[14] IIF (2016).

[15] SupTech is not a term widely used in RegTech events or publications, but it is used in this Note to facilitate the differentiation of RegTech’s two sub-segments.

[16] Based on Deloitte ( and IIF (2016).

[17] This area is influenced by the complexity of the post crisis risk data aggregation and reporting requirements, such as those related to capital, liquidity, stress testing, FSB’s requirements on recovery and resolution plans, reporting on OTC derivatives, etc.

[18] Based on CGAP 2017 (forthcoming); Nejman et al (2014); and Piechocki & Dabringhausen (2015).

[19] Based on CGAP 2017 (forthcoming).

[20] See the explanation of how the UK FCA would “pull” data from regulated firms, a discussion that was part of FCA’s Regulatory Reporting TechSprint 2016:

[21] See a presentation about a proposed reporting utility for the UK, also prepared for the FCA’s Regulatory Reporting TechSprint 2016 at

[22] Examples of authorities that have implemented regulatory sandboxes or similar concepts include: Abu Dhabi Global Market, Australia’s Securities and Investment Commission (ASIC), the Hong Kong Monetary Authority (HKMA), Bank Negara Malaysia, the Netherlands’ Financial Market Authority (AFM), the Monetary Authority of Singapore (MAS), the UK’s FCA, and the US’ Consumer Financial Protection Bureau (CFPB).

[23] Examples include the LabCFTC of the US Commodities Futures Trading Commission (, the Bank of England’s FinTech Accelerator (, the UK FCA’s Innovation Hub (, the FinTech office of the Monetary Authority of Singapore ( and the OCC’s Office of Innovation ( 

[24] Examples of regulatory hurdles that could pose obstacles to FinTech are listed in IIF (2016).

[25] Aaron et al (2017), p. 2.