The battle for 'Operational Resilience': regulatory compliance v trusted technology

​Armed with his customary pint of bitter and a packet of Steak flavour pringles – not your typical Supper Club cuisine – our host Lee kicked off the final episode of our virtual trilogy:
​

• Does the path to greater resilience require a combination of increased regulatory compliance and trusted technology?  ​​

A pertinent topic at the best of times; the Covid-19 outbreak has underlined the need to instil operational resilience before, during and after a crisis so businesses can respond, recover and thrive.

Nicola Anderson – Strategic Development Director FinTech Scotland
First on the virtual podium was Nicola Anderson, who in her role at FinTech Scotland – a strategic enabler of collaboration within the FinTech ecosystem – has been working with businesses to stay relevant during these challenging times. Nicola began by highlighting Fintech Scotland’s resilient community of around 140 SMEs; none of which have been forced to stop or pause by the impact of Covid-19 – an ingrained resilience that’s born out of the ability to problem solve and reinvent.

FinTechs innate agility not only enables them to adapt during a crisis and weather the storm – or even thrive in some cases – it can help their clients do the same.

​For example, FinTechs that operate in the B2B space have been using this flexibility to overcome obstacles created by the lockdown restrictions – from pivoting into a different sector to making physical tasks possible in a virtual environment.

​This got Nicola thinking: can other sectors adapt in similar situations? To gain an insight, she posed the following question to the audience: will the incumbent FS sector truly be able to innovate using legacy systems? Just 19% of respondents said yes.

​Nicola concluded by identifying what she believes are the three key components of greater resilience:

• Technology – this is vital to achieving ongoing resilience, but we must be able to trust its efficiency and security.
• Data – our access to, and use of, data in a rapidly evolving world will help us to understand and maintain resilience – and support businesses through the Covid-19 crisis and beyond.
• People – organisations must look beyond technology and consider their people, without whom resilience is just a buzzword.

Chris Skinner – author, financial commentator and self-proclaimed troublemaker
Chris kicked off by examining the relationship between finance and technology. Finance is a marketplace that craves stability, security, reliability, resilience and risk avoidance. Technology, on the other hand, is inherently risky; it’s all about innovation, changing the game and doing things differently. Trying to bring these two opposing forces together can create friction that’s difficult to manage.

Technology is changing the financial landscape, due to the proliferation of granular financial solutions that involve hundreds or even thousands of companies in the process. This innovative technology is enabling financial inclusion on a massive scale. For example, in 2010 just 35% of the population in India had access to banking services that most of us take for granted; fast-forward eight years and this had risen to 82% by 2018 thanks to the rapid development of the technology stack there. But what about making a financial transaction on Mount Everest next time you pop to the summit? Don’t worry, someone has already proved that it’s possible.

With thousands of companies offering specialised financial services using technology, Chris believes that banks will become the trusted providers of these apps and APIs over the next decade – a move that will help to improve resilience. The Covid-19 crisis is dramatically accelerating the need for digital transformation across the financial services sector. Most notably in the large traditional institutions, many of which failed to implement digitally-focused contingency plans that mitigate the impact of lockdown restrictions.

Chris believes that too many organisations are treating digital deployment as a project rather than vital institutional change. To address this, we need leaders that understand how to use technology effectively in a finance context, together with the opportunities – and risks – it presents.

​People that can harness its power to deliver integrated partnerships, collaboration and new services via digital platforms.

Do we need increased regulation and compliance for trusted technologies? Chris doesn’t think so. What we need is fine tuned granular regulation that addresses trusted technologies at the level they’re operating at, rather than a framework that covers the whole supply and value chain of finance.

Georgios Samakovitis – University of Greenwich, Principal Lecturer in Computer Science (incl. AI)
Our third esteemed speaker was Supper Club veteran Georgios Samakovitis, who was eager to discuss how trusted technology is a prerequisite for compliance. Cybercriminals are unbound by operational bureaucracy, regulations and compliance, which enables them to utilise hot technologies such as AI, blockchain and machine learning in ways that legitimate organisations can only dream of. So, what can we do to mitigate this?

Any regulatory model is only as effective as the data you feed into it – if you put rubbish in, you’ll get rubbish out. To leverage the right data, we must consider its quality, resilience, availability, security and transparency. We also must remember that technology supports decisions, it doesn’t make decisions on our behalf – for now at least.

Technology supported decision making doesn’t just mean AI – a concept that is often bandied around more than it’s practically used. The challenge is for technology as a whole to become more precise. If organisations fail in this pursuit, the costs can be high – catastrophic even!

Explainable AI (XAI) relates to the development of efficient models that we can interpret and understand. This might sound obvious, but it’s often easier said than done. The motivation for developments in XAI is the need to balance efficiency (making the right decisions) with compliance (knowing why the decision is right or why things have gone wrong). This begs the question: how do industry and regulators value explainability versus efficiency – and what is the right balance?  

​If we accept that AI is useful in supporting compliance in a regulatory context, we need to know: What is it adding? Why is it required? Who is verifying it? Take blockchain and smart contracts: promising work has been conducted in the RegTech arena to embody rules into self-executable script to verify or manage compliance. We must also consider that these technologies are already being used to avoid regulatory jurisdictions that can be automatically identified.

Does regulation hinder technology such as AI?

​The FCA has made it clear that innovation shouldn’t be impeded in the financial sector.

Unfortunately, there is a natural conflict between regulation and innovation. Laws are by their very nature reactive, while innovation is about leveraging uncertainty and creating the bulk of its value in the more loosely regulated spaces. 

The challenge for regulators is to strike a balance between facilitating innovation and developing a safe, ringfenced framework for profitable business – one that also guarantees security and integrity.

What does the future hold for data and its governance? Georgios believes a move towards regulation as a service or privacy as a service could be the right direction; a path that is already being taken in the FinTech space, where the redefinition of services and a new ecosystem are being created and supported – making room for innovation without impeding the regulators.

Panel Q&A Session
With plenty of fat still to be chewed, it was time for our experts to answer questions from our enthusiastic audience. They were joined by three special guests:

• Chris Grant – Law tech Director at Barclays Ventures
• Gareth Evans – Founder of Digital Risk Advisors
• Thomas Alderse Baas – Senior GRC Lead at Bowman Group and AI certified

Gareth highlighted that it was interesting to see how different panellist approached this topic in completely different but compelling ways. His own perspectives are shaped by clients who recently struggled to execute unwieldy business continuity plans, or have an eye on future FI regulations, necessitating prioritising, monitoring and maintaining service lines most critical to customers during a crisis. The PRA and FCA guidance says that we must think about regulatory compliance from a customer and market perspective. Therefore, we should ask: which of these processes are critical in any crisis and what can they not withstand? If we can prioritise the processes that matter most under the guidance of the regulations and limit our focus on the technologies, systems and people around those areas, we can make the contingency plans more manageable.

Thomas believes the number one emerging technology is AI, and he is starting to see an interest amongst his customers to start leveraging it. Within GRC specifically, he believes machine learning is the most valuable branch of AI, provided it receives good quality data. He explained that businesses often struggle to map their controls to the various regulations to prove they are compliant. AI has the potential to add real value to this process – which is currently conducted manually – by predicting those mappings.

Chris explained innovative technologies have been around for some time, but it took a pandemic to trigger a transformation in the way businesses operate (e.g. Docusign is 20 years old but wet signing was still the preferred option until recently). Firms have finally started working together, and with regulators such as The Law Society, to try and find solutions. This will hopefully embed technology that helps us work more efficiently. The more this happens, the easier it is to adopt the next piece of technology and gather relevant data that helps to drive things forward.

Summary
Innovative technology provides businesses with great opportunities but comes with greater customer / employee responsibility. Technology is supposed to make our work and home lives easier but seems to have added to the complexity.
​
​Emerging FinTech / AI could be the technology to add order to this chaos; however, to succeed new regulation must be created, adhered to and policed (both the creation of and adherence too). Regulation may be perceived to be stifling progression but without it 'trust' may be lost.

Georgios explained post event that 80-90% of AI related theoretical foundations were established in the 1970s. It's other parallel developments that revived AI: cloud, crowd, mobile comms, consumerisation, distributed architectures, parallel computing, platform economics. AI is not unlike any technological stream of innovations. Drawing from the banking tech history, it has similarities with the Holerith tabulating machines in banking in the 1920s, 'modern automation' in the 50s, ATMs in the 60s, mainframes in the 60, ERP in the 80s, e-banking in the 00s, Blockchain post-2016.

Fundamental and Technological uncertainty in then-newly introduced markets fuels innovation, funding flows in, and more complete understanding and appreciation of the affordances of each technology (AI included) comes later. With that, comes more stability, with opportunity then fuelled by market uncertainty. This is where I think we're at with AI, and exploring the limits and limitations is both a commercial exploitation exercise, as well as one of regulators wishing to maintain and ring-fence the balance and safety of the frameworks wherein business happens.
​
Lee summarised his thoughts post event by explaining that prosperous, agile and innovative companies exist at the ‘Edge of Chaos’.​Informed decision making allows proactive enablement of regulatory and compliance rules e.g. automation leads to reduced chaos and improved efficiency:

Resilience Success = 'Realistic Optimism' + 'Subservience to Purpose' 
​+ 'Positioning yourself at the Edge of Chaos'
Copyright GRC Edge - Adapted from 'Complexity & Creativity in Organisations' 1996

The reality is that you – the esteemed reader – will need to review the evidence provided and draw your own conclusion. We will see you all at the next GRC Supper Club, be it in the real or virtual world! 

​Stay safe one and all.