RiskTech vs RegTech
Self-help gurus tell us to name our fears in order to conquer them. This naming process helps us to understand why we are afraid and make us feel in control of the situation.
Perhaps that’s why so many in financial services have embraced the term RegTech. Bankers and credit union executives frequently worry about falling short of regulatory requirements. They imagine regulators coming in and finding specific regulatory violations. They worry about the cost of failing to comply. And they want to solve the problem as simply (and cheaply) as possible.
It comes as a relief to many when a company offering a RegTech solution swoops in offering to help tackle a specific regulation. RegTech sounds so cool and cutting edge. It lets an institution check a box saying a requirement is met through some form of automation. So the word RegTech creates the illusion of less effort and expense for compliance.
The problem is that examinations aren’t focused on checking a rule on a list, but they are focused on risk.
Rules vs. Risk
The ultimate goal of a regulation is to mitigate risk. Rules and regulations are created because someone believes there is a risk to the public significant enough that it must be addressed.
While one can debate whether or not these regulations are always reasonable, the merits of a particular regulation is a different topic.
When an institution buys software to deal with a specific rule, it often does so in a vacuum. It starts with a problem (a rule that needs to be complied with) and then finds a solution (software). This backwards, bottom-up approach is messy. It doesn’t consider the risk the regulation poses to an institution, like the controls needed systemically to prevent or mitigate the risk.
Let’s say an institution buys a piece of software to meet a new requirement to check names against a list when opening accounts. Job well done, right? Not necessarily.
What if having to check names makes that business activity riskier than it used to be? The institution may need to reevaluate whether that activity is worth the additional risk. What if the institution uses an outside vendor for some aspects of account opening? An institution with a good handle on vendor management risk will know to address the new rules with vendors and will have policies and procedures in place to ensure vendor compliance—and not just concentrate on a single internal activity.
But if an institution is dealing with regulations on a piecemeal basis, it can easily fail to recognize a potential threat or overlook an area of operations covered by the rules. The impact on the bigger picture is lost.
That’s why if we’re going to give a snazzy name to solutions, the term RiskTech is far more appropriate.
RiskTech solutions focus on the whole picture, identifying and examining the interplay of different types of risk across the entire enterprise. They ensure risk remains an integral part of all discussions. They also allow an institution to better understand and prioritize its risk management needs so it can more efficiently deploy resources to the most critical areas, instead of using a scattershot approach.
That’s not to say there’s no place for RegTech. RegTech is really a subcategory of RiskTech, which should be integrated technologically so that risk and compliance go hand in hand. Balancing risk with growth and the need to be more efficient and profitable is essential to success. RegTech can help with this goal but only when part of an institution’s overall enterprise risk management program.
Don’t let the label of RegTech trick you into thinking that simply checking off to-dos on a list of tasks is compliance. Risk must be conquered, and everything else follows in pursuit of that goal.