Financial institutions and their regulators have long been early adopters of new information technologies (IT). In a short essay based on two posts for the Oxford Business Law Blog (available here and here), I first identify four uses of regulatory technology, or RegTech, and then describe four roles for financial regulators in RegTech, and the challenges they face.

The various ways that regulators and policymakers use forms of IT such as data scraping tools, big data analysis, artificial intelligence, and machine learning algorithms can be divided into four categories. The first is Operations RegTech, which targets illegal behavior, such as manipulative trading practices. The second is ComplianceTech, which aims to improve the effectiveness of compliance and intra-firm surveillance. The third is OversightTech, which helps regulators conduct their supervisory functions. And the fourth is PolicymakingTech, which is designed to improve cost-benefit analyses supporting regulatory outcomes.

Financial regulators can play at least four, not mutually exclusive, roles in RegTech. They can develop, use, and possibly sell their own RegTech products; they can buy and use products developed by others; they can facilitate and coordinate market attempts to develop RegTech standards; and they can supervise RegTech firms. How well they perform each role depends on how they deal with the challenges of the new RegTech environment in four areas: human resources, governance, cybersecurity, and core operations.

The human resources challenge tests regulators’ ability to attract and retain software engineers capable of finding effective solutions and acting on an equal footing with their counterparts in the private sector, be they suppliers of OversightTech products or agents of supervised entities. The difference in value between an average software engineer and a top one is substantially greater than between an average lawyer and a top attorney. Lawyers at securities regulators and economists at prudential regulators have until recently been the most important employees,  and government agencies have long struggled to hire and retain the best among them, even though a stint in government can be valuable for a career in the private sector. Software engineers, however, may not gain as much from working for a regulator, and technology geeks may not be comfortable in the stiff and hierarchical environment of a government office.

The governance challenge stems from the probability that, for the moment, the people at the very top of a regulator’s organization don’t have much experience or skill with information technology in general and RegTech in particular. The inability to monitor IT specialists within the regulatory agency can result in flawed RegTech strategies, such as making huge investments in the development of sub-optimal software.

The cybersecurity challenge is self-explanatory and not particularly new but crucial nonetheless, given that regulatory supervision relies increasingly on interconnected IT systems. The bad news is that regulatory agencies have suffered major hacks already. The good news is that regulators and the private sector have the same interests in this area, so regulators can purchase the products developed commercially and benefit from innovation spurred by private demand.

Finally, it will be interesting to see how the cat-and-mouse game between the regulators and the regulated evolves. Mice will know that, thanks to RegTech, cats have improved their ability to detect unlawful activity. But there will always be uncertainty about what is and isn’t allowed. Regulators will need to avoid pursuing trivial violations, given the costly and labor-intensive nature of enforcement. How can regulators set their enforcement priorities so as to maximize deterrence and redress for victims? That leads us back to the governance challenge. Top management at regulatory agencies will have to set these priorities while also supervising their implementation through technology – RegTech – that they may not fully understand. How that plays out in practice will be essential to the effectiveness of enforcement efforts.

This post comes to us from Luca Enriques, the Allen & Overy Professor of Corporate Law at the University of Oxford. It is based on his recent article, “Financial Supervisors and Regtech: Four Roles and Four Challenges,” available here.