Best practices for financial and competition regulators around the world.

The outlook for competition and financial services regulators is constantly evolving. To understand the key shifts, particularly during the COVID-19 pandemic, Nuix engaged Ari Kaplan Advisors to study the best practices for interacting with an array of financial and competition regulators around the world, as well as their preferred technology protocols, primary enforcement strategies, and data sharing preferences.

Between March 20 and August 11, 2020 Ari Kaplan personally interviewed 31 regulators responsible for securities, financial services, and competition in 18 countries. Below is a summary of the findings on the perception of investigations, the composition of key regulatory teams, the impact of technology, and impressions of enforcement.

COMMENCING AN INVESTIGATION

Complaints are Often the Catalyst

For 42 percent of regulators surveyed, complaints were a prime gateway to an investigation. “Most work comes in due to complaints from a consumer or a market participant who loses money or has trouble getting money back,” said a securities regulator in North America.

SCOPING THE INVESTIGATION HAS COMMON STEPS

When asked about how they established the depth, breadth, and gravity of key issues in advance, the respondents highlighted a number of recurring themes. In fact, one regulator emphasized that the COVID-19 pandemic was raising an array of new concerns.“

COVID-19 has put more financial pressure on firms because it is very easy to do the right thing when things are going well, but it is much more difficult to do the right thing when things are going badly,” said a leader with a financial regulator in Europe.

EARLY INVESTIGATIVE ASSESSMENT

After outlining the general parameters of the discussion, many regulators also consider the severity of the matter and the unique nature of the case in developing their strategy.“In determining severity, we look at the amount of money at issue, the number and type of victims, and whether the malfeasance is ongoing or stopped,” said a securities regulator in North America.

Third-Party Support is Rare, but Seemed to be Dictated by Country Size

One-third (35 percent) of participating regulators indicated that adding third-party support such as outside counsel or external auditors was not common. “It is unusual to engage a third party to support an investigation,” said a financial regulator in South America. “Third parties are typically not involved,” concurred a leader focused on competition in the Asia-Pacific region.

That said, however, “On a large matter, we may look to bring on forensics support,” said an investigator with a regulator in the Middle East.

COVID-19 has put more financial pressure on firms because it is very easy to do the right thing when things are going well, but it is much more difficult to do the right thing when things are going badly.

COMMUNICATION

Most Regulators Do Not Provide Advanced Investigation Warning

More than half (61 percent) of respondents reported they did not provide any warning before launching an inquiry. “The purpose of a dawn raid is to surprise the company and ensure that it does not destroy the evidence,” explained a competition leader in a European country that does not provide notice.

In some jurisdictions, however, notice is required. “Usually, we notify the bank about two weeks in advance; if we want to sanction a bank, then the bank must be given an opportunity to defend itself,” said a leader with a banking authority in Europe. “We must inform businesses of an investigation before launching one,” added another regulator in that region.

INFORMATION SHARING IS TYPICALLY LIMITED

A number of jurisdictions restrict the information that an agency can share. “We only share information with internal authorization as our investigations are confidential under our governing statute,” said a securities regulator in North America.

“We only share specific information related to a discrete set of circumstances,” reported an IT leader with a regulator in Europe.

DATA COLLECTION

Do you typically request all potentially relevant information at the outset or initially ask for narrow set of data and expand the scope as you proceed with you examination?

There was a split among the participating regulators, with most (52 percent) requesting a narrow set of data and expanding the scope of their investigation as the inquiry evolved. “The regulated entities provide routine reports, but if we need to investigate further, we identify the additional information that would support a specific inquiry; we are typically not fishing or requesting a broad set of data,” explained a leader with a banking authority in Europe.“ We start with specific searches during the dawn raid and build it based on what we find in the early stages; we do not typically collect all the data at once,” added an investigator with a regulator in the same region.

EMPOWERING WITH MACHINE LEARNING

Do you use analytics tools or predictive coding to assist in the review with prioritization or reducing volumes?

Two in five (42 percent) responding regulators use analytics tools or machine learning techniques such as predictive coding to assist with prioritizing their documents or reducing data volumes.“

It can connect individuals and entities with specific bank transactions and amounts; it also creates a visual picture of the relationships within the data,” said an IT leader with a regulator in Europe. “We would like to take advantage of Nuix predictive coding for picture classification for scanned documents and we are trying to use machine learning to classify documents,” said a competition leader in the same region.

Regulators are Leveraging Predictive Coding More than their Targets

Who performs coding—you or the target?

While almost half of the participating regulators reported using predictive coding, fewer knew if or suspected that their target companies were doing so. Some suggested that they were too small and others did not think they were sophisticated enough. “Neither the regulator, nor the target, typically have the technology to perform predictive coding,” said a leader focused on competition in Europe.

That said, the consensus was that its use was increasing. “It is widespread; while the smaller companies may not use it, the larger companies are using this technology to understand their data,” noted a leader with a financial regulator.

FINES ARE THE PREFERRED FORM OF ENFORCEMENT

Which type of enforcement do you typically prefer? [respondents could select more than one answer]

While there are various enforcement options available to regulators, ranging from a public notice to a written warning, fines were the most appealing to the respondents. “The most common type of enforcement is a fine,” said a compliance leader with a financial regulator in Africa. “If we find something wrong, there will be a fine, but if there is harm to consumers, there is redress that requires more effort than a fine,” noted a leader with a financial regulator in Europe. Many also noted that deterrence was a critical factor. “Education key so it is important to educate the public to limit the number of victims through education; also, the stronger the punishment, the longer one would think about a particular scam,” said a leader with a securities regulator in North America. “Ultimately, the goal is to stop certain behavior,” advised a competition leader in Europe. “The enforcement process is gradual and the goal is to ensure compliance so if a warning promotes compliance, we prefer that approach,” said a financial regulator in South America.

2021 AND BEYOND

Two key drivers of regulatory operations moving forward are automation and investigation readiness. Both have the potential to streamline efficiency and effectiveness.

Automation

Do you automate repeatable steps that help you act and uncover critical data more quickly?

The respondents were evenly split on their efforts to automate key tasks. Most of the regulators that did not preset the activities felt that technology was not applicable to their core matters. “We probably could, but our work varies so much that we don’t have a sufficient number of repeatable functions,” said a leader with a financial regulator in Europe. Of those that do, their focus ranged from specific eDiscovery tasks to digital forensics. “We automate deduplication, redaction for disclosure, tagging as irrelevant, categorization, and the removal of system files,” said a securities regulator in North America.

Investigation Readiness

As we looked ahead at the regulatory landscape, there was extensive discussion about investigation readiness and its impact on future activities. The definitions ranged from better data mapping and improved remote access to increased automation and effective data management.

“You need to have investigation policies in place and know where your data is, whether it is in the cloud and in the country, and whether there are SLAs in place; investigative readiness requires compliance with the law and is about having the tools, people and infrastructure to execute pro-actively,” said an investigator with a regulator in Africa.“

Data mapping and tools that allow data preservation on any device are critical to have in place,” added a regulator in Asia. Investigation readiness is particularly important in light of the pandemic.“

COVID-19 frauds are huge, for example; COVID-19 has had a huge impact as the majority of our employees are working remotely, with some back in the office at appropriate physical distances so it has made a difference in how we work,” said a leader with a tax regulator in North America. One common theme in the Asia-Pacific region was that investigation readiness was “simply business as usual for us,” noted a financial regulator.“

We don’t really discuss investigation readiness because it is our core business and we feel that we are always investigation ready; the expectation is that it is what we do and who we are,” added a leader focused on competition.

For more information, visit nuix.com/regulators-2021.

Print:
EmailTweetLikeLinkedIn
Photo of Stuart Clarke Stuart Clarke

Stuart is an internationally respected cybersecurity expert who is globally responsible for the overall security and intelligence strategy and delivery at Nuix. Stuart also has consultancy experience across the areas of digital forensic, cybersecurity and eDiscovery, and has advised the United Nations’ peak…

Stuart is an internationally respected cybersecurity expert who is globally responsible for the overall security and intelligence strategy and delivery at Nuix. Stuart also has consultancy experience across the areas of digital forensic, cybersecurity and eDiscovery, and has advised the United Nations’ peak cybersecurity body ITU providing cybersecurity training for over 60 national CERTs.

Photo of Ari Kaplan - Ari Kaplan Advisors Ari Kaplan - Ari Kaplan Advisors

Ari Kaplan is a legal industry analyst and speaker who helps individuals and organizations create new opportunities by learning more about members of their target audience and focusing their business development efforts on reaching them effectively.