Regulatory technology (RegTech) companies perform exactly the function you’d expect; they provide technology which is used by businesses to manage and enhance regulatory processes in order to achieve and prove compliance. It’s a sector which is now
growing at a pace of 19.5 percent annually, and is expected to hit $21.73 billion by 2027, according to
Reports and Data.
Such growth has been precipitated by a major upsurge in demand for a variety of reasons, but mainly ‘a looming regulatory burden’. The majority of RegTech companies work with clients in the financial services industry; it’s the
most heavily regulated, after all.
That ‘looming regulatory burden’, however, does not just apply to the financial services sector. Below we’ll look at three other industries which are becoming increasingly regulated as time passes. But first, why are we seeing more regulation than ever?
Why is More Regulation Necessary?
A digital approach to working was greatly accelerated by the COVID-19 pandemic for many industries, as remote infrastructures needed to be conjured with great urgency, and communications habits shifted when face-to-face interactions became impossible. While
a bedding-in period was permitted from a compliance perspective, JP Morgan’s $200 million fine in December 2021 seemed
to signify that this adaptation period was over.
Regulation means a great deal of extra work for any company, but it also demonstrates transparency and accountability, and therefore helps to build trust not just with regulators, but with customers and prospects alike. While certain industries (like financial
services) lend themselves to greater regulatory attention than others, most are heading in the same direction, albeit at different speeds. Many will soon need to take more proactive steps towards adherence as their abundance of data is increasingly scrutinized,
including the following examples.
One of the difficulties with regulating cybersecurity, and a deterrent up until this point, is that it is ‘an
industry founded in rulebreaking’. How do you regulate a sector built to protect computer systems, when the groups that it is protecting
from operate outside of any rulebook, and constantly devise new means of breaching the systems they’re targeting? Any regulatory framework can never be truly current; it’s a question of being as up-to-date as possible, rather than absolutely so.
In March 2022, SEC Chairman Gary Gensler proposed rules to ‘enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.’ These disclosures were intended to keep investors
better informed, and included reporting around cybersecurity incidents, plus periodic reporting for updates on previously reported incidents, as well as policies and procedures to identify and manage cyber risk.
It’s a lot of additional work to contend with. Considering the intricacies of the new rules and existing state regulations, third party solutions may appeal to RIAs hoping to prepare effectively for the new landscape. One option for those interested in deploying
an automated solution for cyber is to
look for a provider that already specializes in RIA compliance. This would include the solutions providing compliance services in the financial services sector, for example.
The healthcare industry accumulates an enormous amount of sensitive patient data on a daily basis, particularly in a world of increasing virtual consultations. Healthcare organizations are obliged to meet regulatory requirements from the Health Insurance
Portability and Accountability Act (HIPAA), and the use of new and varied communications has made compliance increasingly difficult.
The government has ‘used its discretion’ in penalizing HIPAA noncompliance ‘occurring in good faith’ during the pandemic (a Public Health Emergency) and beyond. This meant that the provision of telehealth services was relaxed, ‘allowing
providers to deliver care through a broad range of devices and technology platforms.’
While such a reprieve was pragmatic and undoubtedly welcome, compliance officers need to be aware that it’s not a permanent resolution. Although some telehealth ‘flexibilities’ have become a permanent part of the landscape,
others will expire 151 days after the end of the federal PHE, which was
recently extended for another 60 days beyond July 15th.
The administration used the pandemic as a time to
investigate illicit areas of telehealth, such as ‘telefraud’ scams that leverage aggressive marketing (e.g. cold-calling patients) or provide fraudulent telemedicine services. Post PHE, the government will use these findings to
prioritize enforcement, with the Department of Justice’s Health Care Fraud Unit explicitly stating that they are “dedicated to rooting out schemes that have exploited the pandemic.” As such, it will be important for healthcare providers to provide records
of their historical and ongoing marketing communications, including email campaigns and websites, in order to prove compliance.
Following a tumultuous year in the crypto market, March 2022 saw
President Biden sign an
Executive Order on the Responsible Development of Digital Assets. Many considered this a significant breakthrough for the industry, and that it demonstrated the administration’s acceptance that crypto was indeed worthy of regulation. This is particularly
notable after many years of being deemed ungovernable and ‘a Wild West’,
including by the SEC Chairman himself, Gary Gensler.
The government is, however, starting from scratch on crypto, and months down the line, there is still uncertainty around what this regulatory framework will look like. The document was essentially a callout to a variety of relevant organizations (from the
Treasury to the SEC) to spend time doing their due diligence, before sharing suggestions around how each of its objectives can be met most effectively.
This constructive and collaborative approach gives the best possible opportunity for the uniform application of regulations from
'one rule-book', as favored by Gensler. This is strengthened by the fact that leading states have begun to follow the federal lead and
issue their own Executive Orders in a similar vein. In terms of the desired outcomes, consumer protection is again a priority, and so customer-facing communications are once again likely to be heavily scrutinized in order to ascertain compliance, as with
the financial services industry.
And how about RegTech itself?
Many argue that RegTech is too young an industry to be regulated itself, as regulation can in fact
hamper innovation for businesses at such an early stage of growth.
However, while it may feel a little meta and Inception-esque (regulation within regulation), shouldn’t RegTech firms be held to the same standards as the clients they protect? There is no existing regulatory framework to oversee RegTech firms, and what better
way to instil faith in clients and prospects than by demonstrating that they’re outsourcing to a third-party firm that knows how to present themselves (and by implication, others) in a compliant, trustworthy manner.
It’s a fine line that must be negotiated delicately.
For your information
In an increasingly digital, siloed world, RegTech services will continue to proliferate. Trust from consumers must be earned in different ways, and is less contingent on smooth-talking executives, but compliance with the appropriate statutes and regulations.
Corporate conduct can now be held to a higher standard due to the abundance of information at regulators’ disposal. Examples like
Deutsche Bank’s recent setback show that large corporations are increasingly accountable, and that there are less places to hide in the age of information. The level of scrutiny is growing across the board, and so, by extension, is the number of heavily
regulated industries. Crypto, healthcare and cyber are likely just the tip of the iceberg.