RegTech: Three Increasingly Regulated Industries
Regulatory technology (RegTech) companies perform exactly the function you’d expect; they provide technology that is used by businesses to manage and enhance regulations and regulatory processes to achieve and prove compliance. It’s a sector that is now growing at a pace of 19.5% annually and is expected to hit $21.73 billion by 2027, according to Reports and Data.
Such growth has been precipitated by a major upsurge in demand for a variety of reasons, but mainly a looming regulatory burden. The majority of RegTech companies work with clients in the financial services industry; it’s the most heavily regulated, after all.
That looming regulatory burden, however, does not just apply to the financial services sector. Below we’ll look at three other industries which are becoming increasingly regulated as time passes. But first, why are we seeing more regulation than ever?
Why is More Regulation Necessary?
A digital approach to working was greatly accelerated by the COVID-19 pandemic for many industries, as remote infrastructures needed to be conjured with great urgency, and communications habits shifted when face-to-face interactions became impossible. While a bedding-in period was permitted from a compliance perspective, JP Morgan’s $200 million fine in December 2021 seemed to signify that this adaptation period was over.
Regulation means a great deal of extra work for any company, but it also demonstrates transparency and accountability and therefore helps to build trust not just with regulators, but with customers and prospects alike. While certain industries (like financial services) lend themselves to greater regulatory attention than others, most are heading in the same direction, albeit at different speeds. Many will soon need to take more proactive steps towards adherence as their abundance of data is increasingly scrutinized, including the following examples.
1. Cybersecurity
One of the difficulties with regulating cybersecurity, and a deterrent up until this point, is that it is an industry founded in rulebreaking. How do you regulate a sector built to protect computer systems, when the groups that it is protecting from operating outside of any rulebook, and constantly devise new means of breaching the systems they’re targeting? Any regulatory framework can never be truly current; it’s a question of being as up-to-date as possible, rather than absolutely so.
In March 2022, SEC Chairman Gary Gensler proposed rules to ‘enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.’ These disclosures were intended to keep investors better informed and included reporting around cybersecurity incidents, plus periodic reporting for updates on previously reported incidents, as well as policies and procedures to identify and manage cyber risk.
It’s a lot of additional work to contend with. Considering the intricacies of the new rules and existing state regulations, third-party solutions may appeal to RIAs hoping to prepare effectively for the new landscape. One option for those interested in deploying an automated solution for cyber is to look for a provider that already specializes in RIA compliance. This would include the solutions providing compliance services in the financial services sector, for example.
2. Health Care
The health care industry accumulates an enormous amount of sensitive patient data on a daily basis, particularly in a world of increasing virtual consultations. Health care organizations are obliged to meet regulatory requirements from the Health Insurance Portability and Accountability Act (HIPAA), and the use of new and varied communications has made compliance increasingly difficult.
The government has used its discretion in penalizing HIPAA noncompliance occurring in good faith during the pandemic (a public health emergency) and beyond. This meant that the provision of telehealth services was relaxed, allowing providers to deliver care through a broad range of devices and technology platforms.
While such a reprieve was pragmatic and undoubtedly welcome, compliance officers need to be aware that it’s not a permanent resolution. Although some telehealth ‘flexibilities’ have become a permanent part of the landscape, others will expire 151 days after the end of the federal PHE, which was recently extended for another 60 days beyond July 15.
The administration used the pandemic as a time to investigate illicit areas of telehealth, such as telefraud scams that leverage aggressive marketing (e.g. cold-calling patients) or provide fraudulent telemedicine services. Post PHE, the government will use these findings to prioritize enforcement, with the Department of Justice’s Health Care Fraud Unit explicitly stating that they are “dedicated to rooting out schemes that have exploited the pandemic.” As such, it will be important for health care providers to provide records of their historical and ongoing marketing communications, including email campaigns and websites, in order to prove compliance.
3. Cryptocurrency
Following a tumultuous year in the cryptocurrency market, March 2022 saw president Biden sign an executive order on the responsible development of digital assets. Many considered this a significant breakthrough for the industry, and it demonstrated the administration’s acceptance that cryptocurrency was indeed worthy of regulation. This is particularly notable after many years of being deemed ungovernable and a Wild West, including by the SEC chairman himself, Gary Gensler.
The government is, however, starting from scratch on cryptocurrency, and months down the line, there is still uncertainty about what this regulatory framework will look like. The document was essentially a callout to a variety of relevant organizations (from the Treasury to the SEC) to spend time doing their due diligence, before sharing suggestions around how each of its objectives can be met most effectively.
This constructive and collaborative approach gives the best possible opportunity for the uniform application of regulations from ‘one rule book’, as favored by Gensler. This is strengthened by the fact that leading states have begun to follow the federal lead and issue their own executive orders in a similar vein. In terms of the desired outcomes, consumer protection is again a priority, and so customer-facing communications are once again likely to be heavily scrutinized in order to ascertain compliance, as with the financial services industry.
And How About RegTech Itself?
Many argue that RegTech is too young an industry to be regulated itself, as regulation can in fact hamper innovation for businesses at such an early stage of growth.
However, while it may feel a little meta and inception-esque (regulation within regulation), shouldn’t RegTech firms be held to the same standards as the clients they protect? There is no existing regulatory framework to oversee RegTech firms, and what better way to instill faith in clients and prospects than by demonstrating that they’re outsourcing to a third-party firm that knows how to present themselves (and by implication, others) in a compliant, trustworthy manner?
It’s a fine line that must be negotiated delicately.
For Your Information
In an increasingly digital, siloed world, RegTech services will continue to proliferate. Trust from consumers must be earned in different ways and is less contingent on smooth-talking executives, but compliance with the appropriate statutes and regulations.
Corporate conduct can now be held to a higher standard due to the abundance of information at regulators’ disposal. Examples like Deutsche Bank’s recent setback show that large corporations are increasingly accountable and that there are fewer places to hide in the age of information. The level of scrutiny is growing across the board, and so, by extension, is the number of heavily regulated industries. Cryptocurrency, healthcare and cyber are likely just the tip of the iceberg.
