FINRA's regtech report shows uses and challenges of new technology

NEW YORK (Thomson Reuters Regulatory Intelligence) - The Financial Industry Regulatory Authority has opened a discussion on the use of regulatory technology tools in compliance, by issuing a report{here} entitled "Technology Based Innovations for Regulatory Compliance (RegTech) in the Securities Industry".

Dealers look at monitors during trading at a foreign currency brokerage firm in Tokyo April 6, 2009.

The report comes as the agency itself is rolling out its improved technology, such as cloud storage and computing, big data analytics and natural language processing to enhance its market surveillance and other regulatory functions. It is also conducting a comprehensive self-review, called FINRA360{}, aimed at fostering internal innovation along with the industry it oversees.

It also comes as FINRA and other regulators are showing through enforcement actions and regulation the importance of technology tools in modern compliance processes.

“While the use of technology to help meet regulatory requirements is not a new phenomenon, the confluence of significant regulatory and technological changes over the past few years has created incentives for firms to rethink how compliance functions operate,” the report said. “These RegTech tools have the potential to fundamentally transform how securities industry participants perform their compliance obligations.”

FINRA encouraged the financial services firms it regulates to submit comments on the report, including suggestions about guidance or modifications to rules that may be needed to support the adoption of regtech solutions. Comments are due by November 30, and can be sent to via email to:

The report is based on the discussions with over 40 participants in the regtech sector, including broker-dealers, vendors, regtech associations, academics and other key players.

The FINRA report found firms were using regtech tools in the following ways:

-surveillance and monitoring;

-customer identification and anti-money laundering (AML) compliance;

-regulatory intelligence;

-reporting and risk management; and

-investor risk management.

The tools also pose challenges, the report said. These include supervision, vendor management, data privacy and data security.

Besides producing its report, FINRA has also established an Innovation Outreach Initiative{here} to work with industry participants to learn how its rules and program interact with financial technology tools. And it created a Fintech Industry Committee, consisting of firms of all sizes plus some non-member firms that offer such technology, to analyze fintech developments.

FINRA President Robert Cook in May expressed the agency’s desire to support fintech users and developers -- but also said that he wanted to hear about “any potential areas of innovation that would benefit from a greater focus on investor protection safeguards.”


Regtech is significantly being used to monitor employees -- especially traders and registered representatives in firms -- and research customers to meet regulatory obligations such as sanctions compliance, know-your-customer and beneficial ownership requirements, the report said. Some developers are using biometric data to track customers and distributed ledger technology so businesses can work together to monitor the same customers.

Regtech tools are being used to double-check that a firm’s policies, procedures and daily activities are meeting compliance obligations. Such tools can help greatly perform clearing and reporting tasks, plus perform gap analysis to help identify where holes in compliance programs exist.

The tools can also help the many departments and office branches of a business speak a coherent language and create a compatible picture of trading activity and customer profiles, helping to break down silos.

FINRA says a growing area of development in regtech is understanding customer risk tolerances. Using behavioral science and machine learning to learn from investors’ actions over time, these tools add another layer of understanding beyond investor self-reporting about their tolerances and expectations.

In regulatory intelligence, regtech tools offer a way to “catalog ... regulatory requirements in a user-friendly manner,” in real-time, and highlight pending changes and enforcement actions, the FINRA report said. It said natural language processing and machine learning are being used to read and interpret regulatory requirements, then pinpoint gaps in an organization’s compliance program.

Importantly, certain tools can be embedded in a firm’s operational and supervisory processes across many departments to make complying with regulatory requirements an integral part of the business process rather than an add-on. In this way, tools that review trades for compliance with specific rules before they are submitted for execution can help cut down on identifying problems after the fact.

Regtech tools help firms meet specific regulatory requirements, like the supervision rules contained in Rules 3110 and 3120{here}, by enabling firms to show they have the controls in place to detect noncompliance with FINRA, Securities and Exchange Commission (SEC) and other regulators' rules and have the ability to train the right people on an ever-evolving list of compliance topics.

They help firms monitor their vendors and manage their relationship with them, such as by helping to keep detailed records of their interactions with vendors -- from doing due diligence on the vendors to start, to helping with the recordkeeping obligations under rules such as 17a-3 and 17a-4{here}.

Since communications with the public (FINRA Rule 2210) must be carefully overseen{here}, regtech tools have given firms a chance to analyze social media conversations involving their products and services, plus their customers and employees, and track their own.


Several FINRA and SEC enforcement actions help to showcase how the regulators are both supporting regtech and working to ensure the tools work as expected.

The SEC's Share Class Initiative{here} was offered by the Commission earlier this year to encourage investment advisers to analyze whether their clients have been sold appropriate fund share classes and correct and report any problems -- all on a voluntary basis.

Such a program was ripe for regtech -- to help firms identify problems and help satisfy the initiative’s requirements.


Regtech must regularly be assessed for its suitability and effectiveness, as recent enforcement actions illustrate.

The SEC in August announced a $4.5 million settlement with Ameriprise Financial Services Inc.{here} over charges that the firm failed to safeguard retail investors' assets from theft by its representatives.

Five former brokers at the firm were named in the order. The SEC noted that four of those had been identified and fired in 2013, and one in 2016, with three of these individuals going to jail. The settlement involved fraud incidents at offices in Minnesota, Ohio, and Virginia in which client funds were allegedly stolen.

Investigators found that Ameriprise failed to detect some of the diversions either because of programming errors in its surveillance technology for monitoring fund disbursements or because of a failure to follow up red flags.

In June, Morgan Stanley paid $3.6 million to settle similar SEC charges{here} of inadequate supervision and failure of automated systems to detect questionable third-party transactions allegedly used by a former broker at the firm accused of misappropriating $5 million from the accounts of an elderly couple and their family.

The broker allegedly falsified electronic statements, account transfers and forged signatures to exploit what the SEC contends were vulnerabilities in the firm’s controls.

In July, Mizuho Securities USA LLC settled for $1.25 million with the commission{here} for allegedly failing to invest in the technology needed to safeguard information pertaining to stock buybacks by its issuer customers.


Regtech companies have become favorites of the private investment world as financial firms are expected to accelerate their spending on compliance technology to $72 billion by 2019 from $50.1 billion in 2015, according to research firm Celent.

Venture capitalists have invested $2.3 billion in regtech start-ups globally since 2012, according to data provider CB Insights. Funding volume is expected to drop 2 percent this year to $576 million compared to 2015, but activity is expected to grow 15 percent to 90 deals, according to CB Insights.

Even in the current period of limited deregulation, financial services firms still need significant assistance in understanding new regimes and updating their systems and processes accordingly, and the desire to cut costs and be more efficient will always remain.


Regulatory technology has the potential to continually monitor transactional activity and persons, provide close to real-time insights and raise red flags, and identify aberrations that human beings with their better sense of intuition can then use to follow up. Automated analysis plus human judgment can help a regulated business get a clearer picture of risks facing them and recalibrate immediately -- rather than simply taking the remedial action after the enforcement occurs.

Firms should have detection controls in place that alert the compliance department when certain types of trades are being executed, or even better (especially for certain types of trades and for certain traders under heightened supervision), that prevent certain trades from occurring, period.

Prevention is critical, and another key method is through education. Regular training -- a form of regtech in itself -- should refer to the possible consequences of trading techniques that favor certain investors and fraudulently manipulate outcomes for the firm and for employees themselves, which can be persuasive.

Any brokers that firms believe to be higher risk should be placed into an effective heightened supervision plan, including more frequent contact with the broker, more frequent review of the broker’s communications with customers, and more frequent monitoring or inspection of the broker’s branch office. The same goes for risky clients and vendors, if they are even on-boarded at all.

It is imperative that the firm document all of these heightened review measures.


Supervisors must be aware of the role they play in ensuring their personnel are using regtech tools, and that they are using them consistently and effectively.

Employees can be a firm’s best resource in detecting problems early and for being able to show authorities that they take seriously the detection and remediation of problems such as fraud and of sales practice abuse.

Such employees will use regtech tools they are trained to use, that are effective, and that complement their own compliance understanding, relationships and intuition.

Compliance officers can and should appeal to board members if they experience resistance to their firm’s investment in much-needed technology.

Performance metrics for compliance should reflect an embrace of the regulations around the testing of technological controls, monitoring technology and documenting any limitations with current tools.

Metrics for supervisors of broker staff should include the same, plus a willingness to report and potentially terminate those persons using regtech (or ignoring regtech) to commit investor harm promptly.

Regulatory technology can assist with this -- but those tools must have back-up systems in place.

****Thomson Reuters Regulatory Intelligence has launched its third annual Fintech, Regtech and the Role of Compliance Survey. The survey results and accompanying report will provide insight into both the developing regulatory approach and the direction and progress of risk and compliance functions in managing fintech, regtech and insurtech. This will enable firms to benchmark their own views and preparations against those of peers.

As with all TRRI surveys, information will be treated in the strictest confidence and the results will be shared anonymously through a special report. The survey{} should take no longer than five minutes to complete.

The second annual Fintech, Regtech and the Role of Compliance Report, which was based on the responses of nearly 800 financial services firms, can be downloaded {here}.

(Julie DiMauro is a regulatory intelligence expert for Thomson Reuters Regulatory Intelligence, based in New York. Follow Julie on Twitter @Julie_DiMauro. Email Julie at