Lex; in Breve
The online supplement to our eponymous journal features concise and insightful articles penned by law students from the University of Malaya, as well as guest writers.
On 23rd November 2017, Quanta RegTech Capital (QRC) in collaboration with Infinity Blockchain Labs (IBL) embarked on the Asian leg of its RegTech World Tour in Ho Chin Minh City to acquaint the global community with RegTech. The kick-off event was attended by representatives from varying sectors but principally consisted of those from the corporate and legal sector. The session was allocated to four speakers who spoke about RegTech from different perspectives, all of which are highlighted in this report.
I. WHAT IS REGTECH?
Adam Vaziri, co-founder of Diacle aptly began with a short introduction to RegTech. ‘RegTech’ or regulatory technology, was described as being the use of technology to facilitate compliance in regulated industries. RegTech not only addresses the needs of regulated businesses, but also the needs of regulators or governmental agencies as well.
The advent of FinTech resulted from the acknowledgement of the shortfalls in the traditional risk assessment regime in the financial industry, which was particularly palpable after the 2008 Global Financial Crisis.
Unlike in Fintech, there is no pivotal event where the introduction of RegTech is concerned. However, its introduction is also the consequence of a realisation that the existing systems in regulatory compliance are inadequate and can be much improved.
Najihah (left) with Nur Husna Zakaria, lecturer at the Faculty of Law, University of Malaya who presented during the event.
II. THE NEED FOR REGTECH.
To summarise, the inadequacies in RegTech were detailed by the speakers as follows:
i. High cost.
Nur Husna Zakaria, a lecturer at the Faculty of Law, University of Malaya in her presentation entitled, “How blockchain-based RegTech can transform Malaysia’s compliance regime” detailed these inadequacies by zeroing in on issues in the aspect of Governance, Risk and Compliance (GRC) specifically in the context of Anti-Money Laundering and Counter-Terrorism Financing regulations (AMLA-CTF) or Know Your Client requirements (KYC). These entail preliminarily, the need for checks on clients to identify who they are and to track their activities for suspicious transactions.
Manfred Otto, Senior Associate at Duanne Morris Vietnam LLC whose presentation was titled “RegTech in Asia: Opportunities & Challenges”, presented that within the financial industry in China, Hong Kong, Indonesia, Malaysia, Singapore and Thailand, these compliance activities amount to an aggregate of USD1.5 million per annum in costs. In addition, in the period beginning 2009 to 2016, banks in the United States alone were reported to have incurred USD321 billion in penalties for incompliance to the above AMLA-CTF requirements.
Asian countries have moved towards developing technology to aid in compliance with AMLA-CTF. The Indonesian government, in collaboration with Biomorf, introduced the E-Kartu Tanda Penduduk system in 2011 where government bodies and businesses alike are now able to access individual data through embedded microchips for the purpose of screening. However, easing the process of regulatory compliance in this area may be far cheaper in cost and may also be better accelerated with the adoption of RegTech.
The issue with high cost is not only prevalent in the corporate sector and AMLA-CTF but is reflected through administrative processes within the legal services sector as well. Amy ter Haar, President of Integra Ledger Canada, in her presentation, “Blockchain for Law” highlighted that lawyers in the United States spend only up to 2.3 hours on billable tasks. A whopping 48% of a lawyer’s time is spent on administrative tasks such as configuring technology as well as generating and sending bills to clients.
ii. Limited resources and expertise
Husna presented that there exists a regressive pattern in compliance costs where smaller firms, such as Small and Medium Enterprises (SMEs) in Malaysia, have been observed as spending more on compliance activities as compared to larger entities. This stems particularly from the lack of resources and expertise. SMEs frequently need to outsource expertise in regulated areas such as taxation where documentation, record-keeping and filing annual returns with the Income Tax Department is mandated.
The use of blockchain technology in this arena is said to enable automation where each transaction within such firms can be digitised, codified and placed onto a blockchain; dispelling entirely the need for manual record-keeping and documentation.
iii. Complex requirements
In Malaysia, the issue on the complexity of requirements is most prominently reflected in the obligations imposed by the Securities Commission’s Code of Corporate Governance which introduced complex requirements to put in place effective audit mechanisms and to establish risk management and internal control frameworks. Consequently, in 2015, Bursa Malaysia found that of 450 listed public companies, a staggering 40% failed to properly comply with the standards.
Husna also referred to regulations introduced by Bank Negara Malaysia relating to the operational risks of financial services business. These include Risk Governance Policy and Guidelines on Risk Management and Internal Controls for Conduct of Money Services Business and Basel III Circular which require Malaysian banks to report on its compliance with the provisions relating to the maintenance of capital as well as leverage and liquidity ratios. The Institute of Bankers Malaysia has however reported that 27% of bank officers in charge of risk management do not comprehend their tasks and responsibilities.
RegTech enables the processing of aggregate business data for risk management. Minimal reliance is therefore needed from manual labour, which in turn dispels the risk of error in view of the complex requirements. Instead of mandatory reporting, regulators may instead participate in a permissioned blockchain platform where real-time and transparent access to transactional data from each particular business is possible.
iv. Duplicated requirements
Regulators in Asia have undertaken the establishment of electronic systems geared towards regulatory compliance. Manfred presented that in Vietnam, this development reflected through e-Customs, e-Tax Payment and e-Business Registration system.
Nonetheless, there still exists problems with overlapping requirements. Regulatory bodies, though integrated in functions, tend to act individually. Businesses therefore find themselves repeating the same processes for different approvals.
Husna cited the Malaysian logistic industry as a ase where operators face issues in obtaining proper permits due to the need to file the same documents to a different body each time a different permit or license is needed from different regulatory agency. Malaysian logistics companies are reported to have dealt with as many as 37 permit-issuing agencies, which has inherently resulted in undue delay and expenditure.
With RegTech, different regulating agencies would be able to access data relating to a corporation for the purpose of permit applications and approvals across industries, and regulatory agencies without the need for multiple data submission.
This issue of vulnerability is of particular significance in the legal services industryAccording to the 2016 American Bar Association Legal Technology Report, 63% of law firms report that potential and current clients require that they comply with security requirements in dealing with their data.
Amy however forwarded that in view of increasing number devices providing access points to client data, breaches are becoming more prevalent. A survey conducted across 200 law firms in the United States concluded that 40% of them experienced data breaches in 2016 but were not even informed about them. Moreover, it is also reflected that 89% of lawyers use unencrypted emails in their communication with clients. There is thus, an urgent need to adopt technology such as Blockchain to enable increased security.
III. REGTECH APPLICATIONS
Adam introduced various RegTech applications currently available and their uses. These applications and their specific functions, whether in the field of regulatory compliance or otherwise, are detailed as follows:
Ancoa is a market surveillance application created to detect market manipulation, insider trading and collusion though big data analytics, which is the processing of high volumes of data of varying forms, to trace patterns in market-wide transactions. The utility of this application enables market regulators to apprehend perpetrators.
ii. Dragon Law
Dragon Law application is specifically streamlined for the assembly of legal documents. It enables users to customise their very own contracts within minutes using a workflow tool. The application may be integrated into a business’ own enterprising software for the purpose of invoicing.
The Coinfirm application is of integrated nature, used alongside other applications for the primary purpose of AMLA-CTF. It traces anomalies within a blockchain and alerts users on the scale of risk a particular blockchain address has.
This Artificial Intelligence-based application utilises big data and machine learning for the purpose of ensuring holistic analysis of a wide range of information relating to clients. The information gathered and analysed extends to sanction lists, politically exposed persons and adverse media checks. This automated system circumvents the need for manual checks and the need for intermediaries.
Blockpass, which is also an integrated application, works for swifter identity verification. Through blockchain technology, entities may sign up for Blockpass by downloading the application, keying in information relevant to them upon which their identity will be verified by existing users on the network. A Blockpass user would then be able to transact using other applications with limited delay for due diligence.
As with most new things that threaten to overhaul status quo, there are certainly challenges that must be addressed. These are highlighted below:
i. Apprehension towards RegTech
This issue formed a common thread across all four presentations and was perhaps a topic most provocative to attendees. A question posed to the speakers during the session is whether RegTech will replace professionals, namely lawyers and auditors seeing as their conventional roles seem to be increasingly usurped by technology. This concern is in no way illegitimate and the apprehension towards RegTech, as highlighted by both Adam and Husna, extends beyond the four corners of the seminar. An apt illustration forwarded by both is the 2016 controversy surrounding the introduction of Dragon Law in Malaysia. The Malaysian Bar Council took a stance against the set-up, citing Section 37(2) of the Legal Profession Act to indicate that Dragon Law is prohibited from undertaking the roles conventionally performed by an advocate and solicitor which of course included the creation of contracts.
The position undertaken by the presenters when posed with this issue is that while RegTech forms the more efficient alternative to regulatory compliance, there is still a need for professionals as far as forming the technology is concerned. Amy indicated that whilst RegTech would enable efficiency, in the context of legal profession, lawyers are still necessary for the purpose of dispute resolution, which is the one feat RegTech may not be able to fully undertake.
To overcome this issue, the speakers call for open-engagement amongst key players in the industry, which include government and regulators, RegTech start-ups and developers as well as potential users such as companies or law firms. Each of these players as well as other stakeholders in the industry must be accorded with the opportunity to be heard and consulted.
ii. Research and development
As a young industry, there is undoubtedly a lack of participation amongst key players. This necessarily means that development of new applications to address the multitude of issues that exist is more scant than what is ideal. There is thus an apt call amongst all speakers for cooperation between regulators, developers and users of RegTech to share input.
The formation of Sandboxes is ideal to enable both regulators and users to understand the benefits of RegTech for compliance purposes and for developers to identify necessary improvements based on real-time usage of their applications or test runs.
Beyond this, Husna suggests that regulators should refrain from being over-prescriptive in introducing regulatory requirements. Instead, general objectives and guidance should be given so as to empower users and developers to more flexibly develop an application for regulatory compliance that best suit to needs of each individual firm.
iii. Standards and governance
A key feature of the RegTech, particularly those that are Blockchain-based, is the absence of governing intermediaries. It is thus necessary that for the players in the industry cooperate with one another on not just locally, but on a global scale. Amy highlighted that in the legal sphere, this need is addressed through the introduction of the Global Legal Blockchain Consortium, involving high impact players in the legal technology industry to enhance security, privacy, productivity, and interoperability of the ecosystem. The establishment of the consortium would enable the establishment of blockchain-based identities for law, encompassing client, matter and document identity.
Where Regtech is concerned, QRC and IBL, through the RegTech World Tour are leaning towards establishing a RegTech consortium, an initiative that is certainly important for the progress of the industry.
Group photo of the attendees, presenters and organisers of the event.
The kick-off event for the RegTech World Tour has made two things clear. First, the need for RegTech is trite. Second, it is now time for all stakeholders to cooperate in easing the arduous task of regulatory compliance.
This article was written by Sitti Najihah binti Md Rusli, an undergraduate at the Faculty of Law, University of Malaya. Najihah participated in the event as research assistant to the presenter, Nur Husna Zakaria, as sponsored by the organisers.
Edited by Hanan Khaleeda.
 LexisNexis Risk Solutions, Uncover the True Cost of Anti-Money Laundering & KYC Compliance, <https://www.lexisnexis.com/risk/intl/en/resources/research/true-cost-of-aml-compliance-apac-survey-report.pdf>
 Cox, J. (2017, March 3). Banks Have Paid $321 billion in Fines Since the Crisis, Retrieved from <https://www.cnbc.com/2017/03/03/banks-have-paid-321-billion-in-fines-since-the-crisis.html.>
 Law Technology Today. (2017, November 7). 2017 Legal Trends Report Delivers the Data That Law Firms Need. Retrieved from <http://www.lawtechnologytoday.org/2017/11/legal-trends-report-clio>
 Pope, J. & Hijattulah Abdul-Jabbar. (2008). Tax Compliance Costs of Small and Medium Enterprises in Malaysia: Policy Implications, School of Economics and Finance Working Paper Series.
 Ngui, N. (2015, December 17). More than 180 Malaysian listed firms lack compliance. Retrieved from <https://www.thestar.com.my/business/business-news/2015/12/17/slack-on-governance/>
 EY & Insitute of Bankers. (2014). Beyond IT to totality: Malaysia’s Information Technology Risk Management survey of Banks. Retrieved from <http://www.ey.com/publication/vwluassets/ey_-_it_risk_management_survey/$file/ey-it-risk-management-survey.pdf>
 Malaysian Productivity Council, Reducing Unnecessary Regulatory Burdens on Business (RURB): Logistics Sector. Retrieved from <http://www.mpc.gov.my/wp-content/uploads/2016/04/RURB-Logistics-Draft-Full-Report.pdf>
 Sobowale, J. (2017, March). Law firms must manage cybersecurity risks. Retrieved from <http://www.abajournal.com/magazine/article/managing_cybersecurity_risk>
 Steiner, D. (2017, August 3). Hackers are aggressively targeting law firms' data. Retrieved from <https://www.cio.com/article/3212829/cyber-attacks-espionage/hackers-are-aggressively-targeting-law-firms-data.html>
 Reisenwitz, C. (2015, December 9). Why 2016 is the Year Your Firm Should Take Cybersecurity Seriously: The Growing Threat of Law Firm Cyberattacks. Retrieved from <https://blog.capterra.com/growing-threat-of-law-firm-cyberattacks>