Regulators and Rubber-stamp RegTechs

In recent months, several regulators worldwide have issued opinions regarding various aspects of RegTech solutions, such as the capabilities they should have, how they should be implemented, and the risks involved with their usage.

These detailed documents touch upon a wide range of topics. However, it is interesting to note they all express the idea that while technology can be used in order to improve compliance in financial markets; this is often not the case, and, in fact, improper use of RegTech can be, in itself, harmless.

In the EU, the EBA goes as far as saying – backed by data obtained from national authorities – that “A careless use of innovative compliance products can lead to money laundering and terrorism financing risks”, and, in fact, “over half of serious compliance failures reported to the EBA’s EuReCA database involved the improper use of RegTech tools. Despite its potential to enhance compliance, RegTech is often poorly implemented due to lack of expertise and oversight”.

In Nigeria, the Central Bank does not settle for sounding warnings, and literally draws up what an AML solution should look like, in order to make sure the systems used in the country are fit-for-purpose.

Similarly, in the UK, the FCA looks into even the finest details of the customer journey, and notes good as well as bad practices.

These documents mark what seems to be a more “in-depth” involvement of regulators in the RegTech area, and may signal a shift from today’s indirect oversight of RegTechs – such as through outsourcing guidance and legislation as the EBA Guidelines on Outsourcing Arrangements and the Digital Operational Resilience Act – to a more proactive approach, which may lead even to direct oversight in certain cases.

In any case, one thing is clear, and regulators also state it themselves – the review of the way RegTech solutions are being used and implemented will continue, and will become an integral part of supervision going forward.

Rubber-stamp RegTechs

As we are discussing direct oversight, it is important to state that we at Muinmos have long advocated for the regulation of RegTechs. This, among other things, as we see many RegTech vendors adopt practices which are not consistent with good compliance practices, as evidenced also by the terminology they use.

For example, many RegTech vendors proudly boast “high pass rates” of IDs as a positive selling-point. It is easy to understand why – “high pass rates” means firms can accept more clients, and make more money.

However, in this case “high pass rates” may mean that clients who should not have passed the ID check, and their acceptance as clients exposes the financial system (and the firm itself) to harm.

Meaning, boasting “high pass rates” is, potentially, boasting being a “rubber stamp”, not a compliance solution.

That is why, for example, we at Muinmos prefer the term “completion rate”. Of all client journeys initiated by the Muinmos AI-powered Platform, over 97% have been completed. Whether or not a client has “passed” or “failed” the various checks and assessments is up to the client’s circumstances, the firm’s policies etc. – the Platform cannot control that, and therefore should not “boast” that as if it is its own achievement.

The EBA’s Review of Risks and RegTech

As stated above, on 28.07.2025 the EBA published an opinion on AML/CFT risks, warning that “careless use of innovative compliance products can lead to money laundering and terrorism financing risks”.

The EBA starts its report by addressing FinTech – “FinTech: innovation comes at the cost of compliance“ – and stating that National Competent Authorities (NCAs) are worried “that some FinTech providers may be prioritising customer acquisition over compliance” (hence, in our context, would prefer “rubber-stamp” providers).

In regards to RegTech, the EBA notes that “The unthinking use of RegTech creates ML/TF risks”; and specifies the main types of risks identified in relation to RegTech. Among those:

• “Lack of internal skills and experience“ (in the financial institutions);

• “Inadequate transparency and explainability”; and

• “Improper setting of parameters and thresholds.”

The EBA makes it very clear that the supervision of the way financial institutions implement RegTech solutions will continue, noting that “RegTech solutions offer significant potential for better compliance and a reduction of manual errors, but their successful deployment has been hampered by inadequate in-house expertise, poor governance and insufficient oversight”, and therefore recommends that “competent authorities should continue to identify and promote good practices in the use of RegTech – such as streamlining workflows, creating dynamic risk profiles and enabling institutions to manage large data volumes efficiently, while taking the steps necessary to ensure that these tools are used responsibly.”

Meaning, the EBA specifically states that a review of RegTech solutions and especially their implementation is something that will be ongoing, and an integral part of supervision going forward.

The Nigerian Guide for Avoiding “Rubber-stamp” Solutions

On 20.05.2025, the Central Bank of Nigeria (CBN) published its “Exposure Draft on Baseline Standards for Automated AML Solutions” (the “Baseline Standards”).

The Baseline Standards are, in effect, a type of Software Requirement Specification (SRS) or Product Requirement Document (PRD), laying out what the CBN believes is a good overall system for KYC/AML compliance.

The backdrop to this very detailed, very thought-through document is double:

1. The CBN’s acknowledgement that automated AML solutions play a hugely important part in the prevention of financial crime: “As financial transactions become increasingly digitized, the need for robust, automated AML solutions has never been more urgent.”

2. The CBN’s acknowledgement that the current situation is far from being optimal (Nigeria has been placed on the FATF’s “grey list”), and its “aim to ensure uniformity, efficiency, and regulatory compliance in AML solutions across financial institutions in Nigeria.”

Meaning, the CBN sees RegTech solutions as a very good way to turn the tide – improving the quality of compliance by improving the quality of compliance solutions. However, the CBN wants to make sure this is done correctly.

Accordingly, the Baseline Standards hold a series of requirements and specifications, which, as a whole, are meant to guide financial institutions into selecting good RegTech solutions, not “rubber-stamp” ones.

The Baseline Guidelines are many, but it is worth focusing on two main principles which clearly come through:

1. A non-fragmented, comprehensive solution which connects all aspects of KYC, KYB, AML – the Baseline Guidelines make it very clear that fragmentation is no longer an option. Over and over again through the Baseline Guidelines terms such as “centralized” and “integration” are being used, with the system required to “include a centralized dashboard…”, “support seamless integration with other key financial systems…”, and “leverage Application Programming

Interfaces (APIs) to enable seamless integration between systems and ensure smooth data flow”.

The CBN is sending a clear message – the days of fragmentation are over. A system needs to be not just digital, but also interconnected. AML, KYC, KYB, risk profiling – all should be part of the institution’s overall system:

“The AML solution shall have real-time access to the customer due diligence information for risk profiling, screening and transaction monitoring.”

Meaning, all aspects should be tied together.

2. No-code configurations – the Baseline Guidelines also put an emphasis on how easy it is to configure the solution, and insist the financial institution will not be overly dependent on the solution provider for such configuration. For example, the CBN requires the ability to “Configure the AML system to allow for rule updates and scenario modifications with minimal vendor dependency”, as well as requires that “The solution should be customizable to meet the specific needs of the financial institution, including the ability to tailor rule configurations, risk scenarios, and alert thresholds.”

These two principles address two very acute pitfalls of “legacy systems”:

1. They are often not connected, and require some manual intervention (a simple example would be moving a file from one environment to another, or keying in information received from the screening solution into the risk tool).

It is important to state, in this regard, that solving this issue does not just improve compliance, but also immensely improves both customer experience and operational efficiency (Muinmos clients achieve a faster onboarding time of 45% to even 96%).

2. They are often difficult to re-configure, harming the institution’s ability to adapt to even the slightest of regulatory changes. Here too, it is important to emphasize, that having an agile, no-code configurable system helps not only improve compliance, but also provides the financial institutions with the ability to open new markets and products quickly, making it both compliant and agile (86% of Muinmos’ clients interviewed during 2025 stated Muinmos improved their ability to comply and expand globally).

The UK FCA’s Review of Digital Design of Online Customer Journeys

Another interesting review by a regulator of what is essentially a RegTech solution (though, here, the review is of a much more narrow aspect of it) is the FCA’s “Digital design in customers’ online journeys: good practice and areas for improvement”, published 31.07.2025.

Here, the FCA reviewed online journeys of consumer credit providers (but stated that “The findings… might be of interest more broadly to those firms with a digital presence”), and issued some very interesting, good and bad practices, which can be of aid to firms seeking to design their online journeys correctly.

One of the more interesting recommendations was to “Consider whether adding friction can help customers with their decisions and how it may affect customer choice”. This is counter-intuitive to the way customer-journeys are usually designed; however, it is a good reminder that sometimes, compliance can cause friction – and the real “art” is how to create a customer-journey that is both compliant and as smooth as possible.

This takes us back again to the “rubber-stamp” providers – they will, undoubtedly, avoid asking any question which may reduce the “pass rates”. However, the FCA makes it very clear that this may lead to the firm being seen as incompliant.

A good example of that is client classification. Many firms rely on “self assessment”, requiring the applicant to declare they are “retail”, “professional” etc. This, despite this not being compliant with many regulatory frameworks, which impose the obligation to perform the assessment on the firm itself.

Many do so, as they believe client classification rules are cumbersome, and may create friction that will lead to drop-off during the journey. However, as we can learn from the fact that over 97% of journeys in the Muinmos platform have been completed (and the Muinmos platform includes also automated client classification, suitability assessment, product appropriateness assessment, and much more), if done correctly, with AI-adaptive journeys etc., this “friction” does not materially affect drop-off rates.

In Conclusion

The trend here is very clear:

1. Regulators will continue to scrutinize the use and implementation of RegTech solutions by financial institutions.

2. Solutions which are not real compliance solutions, and are more of a “rubber-stamp” provider, will not be seen as fulfilling compliance requirements, and institutions can therefore no longer “hide” behind the use of such solutions and claim compliance.

3. Firms who have invested in solutions that are not fit-for-purpose can see their investment lost, and even result in the need for further investment in the form of hefty fines and costly remediation steps.