Pizza, Pitstops and Agile Regulation

Abstract

The very approach to financial regulation is changing these very days. Fast-paced, wide-scale disruptive technologies such as Gen AI have propelled a fundamental, global shift from Prescriptive Regulation to Agile Regulation.

Agile Regulation is a concept that includes several types of regulatory strategies, and primarily Outcome-focused Regulation (OFR). OFR, as its name suggests, focuses on the desirable outcome of a certain regulated process, rather than prescribing the measures required in order to comply. As such, it sets the regulated entity in a position of a de-facto co-regulator, in-charge of designing, implementing and constantly testing its own procedures.

A prominent recent example of OFR is the UK Consumer Duty, which requires firms to ensure their products and services are fit for purpose and offer fair value, as well as to help consumers make effective choices or act in their interests.

This tectonic shift brings with it an immense field of opportunity. Mainly, it allows firms to shape their processes – both internal and external – in whatever way they deem most efficient (both from an operational standpoint and a client-facing one), thus allowing them to gain a considerable competitive advantage.

However, it also poses several possible pitfalls. To financial institutions, the move away from “checklist compliance” not only denies them a major compliance tool, but also de-facto shifts the “burden of proof” onto them, without providing them conclusive guidelines as to the type, quantity etc. of evidence which is required.

This profound change in compliance regulation and enforcement theory necessitates an equally profound change in compliance practices. In recent years, compliance practices have become more proactive, strategic and agile, boosting the popularity of terms such as “Proactive Compliance” “Strategic Compliance”, etc.

Whereas there is no need to coin another such term, there is a need to point out 6 factors which are key to any compliance program in this new age of regulation, among them the connection of processes, and purpose-in-actions. These can only be achieved through a focus on process design, smart automation, and data gathering and analysis. Firms need to complete their move away from rigid frameworks to flexible, configurable software platforms which allow for easy, non-code process changes, which can make their compliance programs ready for this new age of regulation.

Introduction – What Is Agile Regulation?

In June 2019 the British Parliament was presented with a white paper titled “Regulation for the Fourth Industrial Revolution”. In the foreword to this white paper, the Secretary of State for Business, Energy and Industrial Strategy wrote: “The world is changing faster than ever. New technology is creating new industries, changing existing ones and transforming the way things are made. We need a more agile approach to regulation, that supports innovation while protecting citizens and the environment”.

According to the white paper, the “agile approach to regulation” in this forthcoming Fourth Industrial Revolution brought upon by technologies such as AI, wishes to move away from “prescriptive legislation” and towards an “outcome-focused, flexible regulatory system”. This, as “Prescriptive legislation can provide clarity for businesses today but… it can divert funds from investment to ‘tick box’ compliance without providing adequate safeguards for society”.

According to the head of the FCA in an interview from August 2024, the implementation of this approach is well underway: “I think we have really moved to be operationally different. We have shifted the dial quite significantly in terms of consumer protection with outcomes-based regulation”.

And the UK is, by no means, alone in this transition to Agile Regulation. On December 2020, the OECD (Organisation for Economic Co-operation and Development) published its “Agile Regulation for the Fourth Industrial Revolution – A Toolkit for Regulators”, in which it added also “Anticipatory Regulation” and “Experimental Regulation” to the aforementioned OFR. The OECD backed its toolkit in October 2021 with a clear “Recommendation for Agile Regulatory Governance to Harness Innovation”, and with further policy papers such as the April 2024 “Regulatory Experimentation: Moving ahead on the Agile Regulatory Governance Agenda”.

The One Billion Dollar Pizza Problem

Agile Regulation was born out of an attempt to deal with fast-pace, evolving technologies. It is a de-facto acknowledgement that the legislation process of Prescriptive Regulation is too slow to keep-up with financial innovation. A prime example of that is Cryptocurrency. Cryptocurrency has been around, conceptually, since the 1980s; and the first Cryptocurrency commercial transaction, in which a programmer bought a pizza for 10,000 Bitcoins (a mere 1BN in today’s exchange rate) famously took place on May 22, 2010 (now known as “Bitcoin Pizza Day”).

Despite the ever-growing use of Cryptocurrency during the 2010s and early 2020s, including some grand-scale cases of mis-use, regulation of Cryptocurrency – generally speaking – did not “ripe” until the early-mid 2020s. This type of under-regulation and “exposed market” is what policymakers want to avoid, hence this global-scale shift towards OFR. However, Agile Regulation does not only have the potential to speed up regulatory processes, but also change their very fabric, turning regulated entities into de-facto co-regulators.

Formula 1, Co-regulators and the Field of Opportunity

Though in an entire field altogether, the FIA’s (Fédération Internationale de l’Automobile) Formula 1 Technical Regulations are a good example of Prescriptive Regulation. This 177 page long document, which, in its different iterations, has shaped motorsports for many years now, determines everything from the car’s mass distribution to the manner its engine should start (“A supplementary device temporarily connected to the car may be used to start the engine in the team’s designated garage area, in the pit lane and on the grid”, in case you wondered).

Most will agree, that Formula 1 cars are fast and its races are exciting. However, think how potentially faster and more exciting the races would be if the FIA’s only regulations were that the cars should be fast and safe to drive! The variety of cars would increase, creativity will be set loose, and innovation will thrive.

And not only car-manufacturing innovation will thrive; compliance innovation will thrive as well. Why? Because if the FIA’s only 2 regulations are that the car should be fast and safe, manufacturers will have to come up with ways to prove that. Fast – well, that is easy to prove; but safe? This will require manufacturers to perform crash tests, gather data, analyse it, and present it to the FIA’s inspectors (who, instead of going over a 177-page long “checklist”, will now be exposed to entirely new sets of data, enriching their knowledge as well).

This demonstrates the additional benefits supporters of OFR hope it will bring. According to them, this type of regulation can potentially:

1. make the regulated entities, in effect, co-regulators, thus also reducing the governmental spend on regulation;
2. allow the regulated entities to shape their compliance process in the most efficient manner (reduce compliance costs and obtain operating and competitive advantages); and
3. boost compliance-related innovation.

And this is exactly where the field of opportunity of OFR lies – it allows the regulated entities to shape both their products (be that product a car or a transferable security) and their compliance processes the way they deem most efficient. By doing so, it also encourages innovation, data-based decision making, expedites the creation of market-led standards and practices, and exponentially increases the number of regulators (as all participants are, in a very real way, co-regulators).

From Pitstops to Pitfalls

Unfortunately, OFR has its potential pitfalls. Perhaps the most obvious one has to do with certainty.

Certainty is a key component in financial markets. All financial markets participants need it, to some extent, in order to rationally plan their activities. However, OFR puts the emphasis on, well, the outcome, not specific actions; therefore, by definition, lowers the level of certainty in the market.

In order to compensate for that, regulators will likely issue guidance, that will change from time to time, according to accumulated data and acquired experience. The possible pitfalls here are clear: similar to “over regulation” and “under regulation”, “over-guidance” will take us back to Prescriptive Regulation; “under-guidance” will leave market participants in a state of uncertainty.

In the context of the UK Consumer Duty, for example, it is too early to know if the FCA is “over” or “under”. There is quite a lot of guidance already in place – including a 121 pages long “Final non-Handbook Guidance for firms on the Consumer Duty”, but given the scope of the duty and its early stages of application, it is still too early to draw conclusions.

Another major pitfall, this time from the firms’ perspective, is the de-facto reversal of the burden of proof. If, so far, firms had, in most cases, “checklists” to rely on in their dealings with regulators; the new regime shifts the “burden of proof” onto them, and not only that – it does not provide conclusive guidelines as to the type and quantity of “evidence” required.

Take, for example, the UK FCA’s “Consumer Duty” requirement – which can be summed-up as the requirement to achieve the best results to your client. The FCA states, in an information webpage for firms, under “Our approach to supervision and enforcement”, that “With the Duty in force, firms need to… be able to show us, that they are acting to deliver good customer outcomes“.

The FCA states that it will “understand that some firms will need to continually improve the way they use data and analytics to demonstrate compliance and we will be pragmatic and open in working with them on this”; but the message is clear: you prove to us, and data and analytics now reign.

Compliance In Everything We Do

Positioning the Compliance functions of firms as co-regulators places a much heavier onus on the already-swamped function. A firm will now, potentially, be required to show not only what actions it had performed, but also why it did not perform other actions, compare with other cases, show different possible results for trades etc. Meaning, it may need to “build” an entire “case”. This will require more in-depth involvement of the Compliance Officer / Risk / Legal in all the firm’s operations, and a new way of modelling operations in order to cater for that.

And this is perhaps the most serious challenge to financial institutions in this new regulatory landscape. As regulation will no longer be a “tick-box” exercise, and, in a very real manner, regulated entities are now required to be co-regulators, a paradigm shift in the place of Compliance in the organisation is imminent. Or, in other words, the Fourth Industrial Revolution brings upon a regulatory revolution; which, in turn, necessitates a Compliance Revolution.

However, and this is important to emphasise – this is a golden opportunity for all the organisation’s functions to re-design processes in a data-driven, operational-efficient manner. This re-design process should take into account the following key factors, who are instrumental to compliance in this new regulatory age:

1. Data-infused. Firms need to be able to fully gather, logically arrange and securely store data related to their processes.
2. Analysis-driven. In an outcome-focused regulatory system, continuous analysis of the data is imperative. One needs to constantly prove that the current data supports their claim for compliance.
3. Flexibility. As ongoing-analysis is being conducted, it is inevitable that some changes to processes may be required, on an ongoing basis, in order to maintain compliance. Also, as regulatory expectations are conveyed via guidance and not legislation, it is expected that the rate of changes in those expectations will be higher. Firms therefore need to be able to change their processes quickly without burdening their operation. This flexibility needs to be a built-in feature of the compliance program.
4. Outcome-oriented. Of course, in an outcome-focused regulatory system, the outcome is king. This means that the firm should be able to first identify different outcomes (including setting clear “acceptable” and “non-acceptable” thresholds); then, identify their causes; and be able to prove these outcomes were achieved on a consistent, non-discriminatory basis. 
5. Connected processes. Process fragmentation is one of the biggest issues within Compliance itself, and within the interface between Compliance and other functions in the organisation. Process fragmentation causes, among other things, time-waste, errors, and impedes correct and timely data gathering and analysis, as well as flexibility. It is the ultimate killer of operational efficiency, and therefore the connection of processes should be set as high priority. It will also consequently eliminate many manual, repetitive tasks, hence provide Compliance personnel more time to focus on higher-value tasks.
6. Compliance-in-everything-we-do. As Compliance may have, in a certain point in time, prove that a certain action is compliant or has contributed to compliance, all processes are now also compliance processes, and should be designed and reviewed from a compliance angle as well.