DISCUSSION NOTE From Spreadsheets to Suptech Technology Solutions for Market Conduct Supervision JUNE 2018 Finance, Competitiveness & Innovation Global Practice © 2018 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. CONTENTS Acknowledgments ii Abbreviations iii 1 INTRODUCTION 1 2 UNDERSTANDING SUPTECH 2 2.1 Suptech versus Regtech: What’s in a Name? 2 2.2 Suptech for Market Conduct: Potential Use Cases and Outcomes 3 3 SUPTECH IN PRACTICE: MARKET CONDUCT CASE STUDIES FROM THREE COUNTRIES 6 3.1 Case Study: U.S. Consumer Financial Protection Bureau 7 3.2 Case Study: Bank of Lithuania 10 3.3 Case Study: Central Bank of Brazil 12 4 CROSS-CUTTING CONSIDERATIONS 15 REFERENCES 18 BOXES AND FIGURES Box 2.1 Automated Data Collection in Austria and Rwanda 5 Box 2.2 Exploring Machine Readable and Executable Regulations in the United Kingdom 5 Figure 1 Suptech Conceptual Framework 6 Figure 2 Bank of Lithuania’s Electronic Complaints System 11 Figure 3 Scope of Risk-Assessment Exercise for FSPs 12 Figure 4 Central Bank of Brazil’s Conduct Risk Framework for NBFIs 13 Figure 5 Central Bank of Brazil’s Conduct Inspection Workflow for NBFIs 14   i ACKNOWLEDGMENTS This discussion note is a product of the Financial Inclusion, Infrastructure & Access Unit in the World Bank Group’s Finance, Competitiveness & Innovation Global Practice. This note was prepared by Gian Boeddu, Laura Brix, Nomsa Kachingwe, Ligia Lopes, and Douglas Randall. Mahesh Uttamchandani, Douglas Peace and Sebastian Molineus provided overall guid- ance. The team is grateful for the substantive feedback received from peer reviewers Sharmista Appaya, Denise Dias, Erik Feyen, Juan Carlos Izaguirre, Ivo Jenik, and Mark Schrijver. The team gratefully acknowledges the generous contributions of time and expertise by financial sector authorities at the Consumer Financial Protection Bureau (United States), the Bank of Lithuania, and the Central Bank of Brazil. The team thanks Naylor Design, Inc. for design and layout assistance, and Charles Hagner for edi- torial inputs. ii ACRONYMS AND ABBREVIATIONS AML/CFT anti-money laundering/combating the financing of terrorism BCB Central Bank of Brazil BoL Bank of Lithuania CCD Consumer Complaint Database CFPB Consumer Financial Protection Bureau CRM customer relationship management Fintech financial technology FSP financial service provider NBFI nonbank financial institution Regtech regulatory technology SisCom Integrated System for Supervision Support and Communication Suptech supervisory technology   iii 1 INTRODUCTION Effective and efficient market conduct supervision is crit- stakeholders. The use of technology to facilitate and ical to ensuring that financial consumers are protected enhance supervisory activities and processes is referred to from unfair business practices and provided with clear in this discussion note as Suptech (that is, supervisory and relevant information. In countries with ambitious technology). financial inclusion agendas, robust market conduct supervision is important to ensure that financial inclusion This note highlights examples of technology solutions objectives are achieved responsibly and sustainably. that are being adopted for market conduct supervision, Maintaining the integrity of the financial system is also including the implications of these technology solutions sometimes considered as an aspect of market conduct for broader supervisory approaches. The term market supervision. conduct supervision, as used in the note, refers to aspects of financial sector supervision other than prudential super- Yet market conduct supervision is a challenge in many vision, such as consumer protection, anti-money launder- jurisdictions. Effective market conduct supervision ing/combating the financing of terrorism (AML/CFT),1 and requires the collection of a wide range of data from dis- competition-related business conduct issues. Suptech parate sources. Financial sector supervisory authorities approaches to market conduct supervision are in some (supervisory authorities) must also undertake complex, ways similar to those pursued for prudential supervision, qualitative analyses to determine compliance with legis- although there are also importance differences, as will be lation or regulation that is often principles based or com- discussed in this note. prises judgement-based rules. These challenges are compounded when a financial sector supervisory author- The note provides a general examination of Suptech, as ity’s market conduct mandate covers a large number and well as three country case studies. The note begins with a a diverse range of financial service providers (FSPs), and conceptual overview of Suptech and related concepts in when many such FSPs have unique or unfamiliar risk pro- section 2. This is followed in section 3 by three case stud- files. For example, a supervisory authority’s mandate ies that illustrate how Suptech is currently being applied may cover not only commercial banks but financial coop- by market conduct supervisory authorities—specifically, in eratives, microfinance institutions, nonbank e-money the context of financial consumer protection (using coun- issuers, and new Fintech (financial technology) market try case studies from the United States and Lithuania) and entrants such as person-to-person lending platforms. in the context of AML/CFT (using a country case study Supervisory authorities may also face capacity con- from Brazil). Section 4 concludes with a discussion of straints, particularly in cases where the market conduct cross-cutting considerations, including the risks and chal- supervision function is at a nascent stage or is inade- lenges that may arise with Suptech, and areas for further quately staffed or funded. research and exploration. Many supervisory authorities are therefore seeking tech- As noted by the Toronto Centre, many examples of nology-enabled solutions to increase the efficiency and Suptech solutions, particularly those using the most effectiveness of their supervisory activities. The use of technology can enable supervisory authorities to better The Financial Conduct Authority (United Kingdom) and the 1.  identify and monitor sources of risk and improve the accu- Central Bank of Brazil are examples of authorities that refer to racy and timeliness of information flows and interactions financial consumer protection, competition, and market between the supervisory authorities and financial sector integrity as conduct risks.   1 2   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision innovative technologies, are still at concept or pilot 2017). The relationship with Fintech3 is also evident in this phase (Toronto Centre 2017, 12). Some of these are definition from an industry participant: “[Regtech] is a term discussed in section 2. However, the case studies dis- coined to classify a group of companies that, by harness- cussed in section 3 were selected because they involve ing the capabilities enabled by new technologies such as the implementation of Suptech solutions in two differ- cloud computing, big data, and blockchain, are devising ent market conduct supervision areas and were suffi- solutions to help companies across all sectors of activity ciently advanced in their implementation to allow an ensure that they comply with regulatory requirements” examination of the practical experience of the relevant (Fernández Espinosa 2016). Finally, the International supervisory authorities.2 It is hoped that this note will Regtech Association describes Regtech as “digitization of provide useful lessons and insights on the opportunities regulatory compliance processes,” which places the focus and challenges for the use of Suptech to enhance mar- on automation and enhancing or eliminating manual pro- ket conduct supervision. cesses (IRTA, “Supporting the Development”). While FSPs’ regulatory compliance and supervisory 2  UNDERSTANDING SUPTECH authorities’ supervision processes likely overlap, and some commentators have used the term Regtech also to SUPTECH VERSUS REGTECH: 2.1  refer to technology for use by supervisory authorities, this WHAT’S IN A NAME? discussion note uses the term to refer to the use of tech- nology to facilitate and enhance regulatory compliance The terms Regtech (that is, regulatory technology) and processes from the perspective of FSPs. Suptech have recently emerged in discussions among financial sector practitioners. However, no definitions of Suptech these terms are universally agreed upon, and wide varia- The increased scope and complexity of regulation that tion remains in how they are applied. This section pro- has raised compliance costs for FSPs also presents a chal- vides a brief summary of different perspectives on Regtech lenge for the supervisory authorities who must process and Suptech, and outlines the working definitions and and analyze data of ever-increasing volume, frequency, conceptual framework adopted for this note. and granularity. Greater market diversity and innovation further stress the capacity of supervisory authorities in Regtech many jurisdictions. In response, supervisory authorities are In many jurisdictions, increased scope and complexity of seeking to leverage technology and digitize key processes regulation has raised compliance costs for FSPs. For in order to increase their efficiency and effectiveness. example, some FSPs are being subjected to new areas of While less attention has been given to defining and regulation (for example, financial consumer protection), advancing the concept of Suptech relative to Regtech, and others are being required to meet higher standards in interest in Suptech is on the rise. existing frameworks (for example, with respect to risk data aggregation and reporting). Regtech is one response to The Basel Committee on Banking Supervision has defined these trends. Most definitions of Regtech focus on the use Suptech variously as “the use of new technologies for of technology to enhance FSPs’ ability to achieve regula- internal supervisory purposes” and “the use of technolog- tory compliance while minimizing costs. ically enabled innovation by supervisory authorities” (BCBS 2017, 31). The Basel Committee elaborates on this For example, the Institute of International Finance defines concept by noting that “Suptech lets supervisors conduct Regtech as “the use of new technologies to solve reg- supervisory work more effectively and efficiently. This dif- ulatory and compliance requirements more effectively fers from Regtech, as Suptech is not focused on assisting and efficiently” (IIF 2016, 3). In the United Kingdom, the with compliance with laws and regulations, but on sup- Financial Conduct Authority has described Regtech as “a porting supervisory agencies in their assessment of that sub-set of Fintech that focuses on technologies that may compliance” (BCBS 2017, 35). facilitate the delivery of regulatory requirements more effi- ciently and effectively than existing capabilities” (Woolard The Basel Committee on Banking Supervision (BCBS 2017) and 3.  Financial Stability Board (FSB 2017) define Fintech as “technologi- cally enabled financial innovation that could result in new business 2.  The descriptions of the implementations in this note were based models, applications, processes, or products with an associated on interviews with, and materials provided by, the respective material effect on financial markets and institutions and the supervisory authorities. provision of financial services.” From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   3 Thus, for the purposes of this discussion note, Suptech is and customers through analysis of consumer complaints used to refer to the use of technology to facilitate and data. Artificial intelligence tools can also be leveraged in enhance supervisory processes from the perspective of the analysis of suspicious transactions to identify those that supervisory authorities. warrant closer investigation.6 Technology-enhanced supervision is not new, of course. As a recent Toronto Centre note points out, the emer- Various technology solutions have been adopted by gence of Suptech may enable broader shifts in approaches supervisory authorities over the years to improve the to supervision, toward “a pro-active, forward-looking efficiency of supervisory processes and activities—for supervision that relies on better data collection and example, database management software, XBRL (that sophisticated data analytics, and greater storage and is, eXtensible Business Reporting Language), and other mobility capacity” (Toronto Centre 2017, 10). While Supt- electronic reporting templates and tools to capture and ech solutions need not always involve cutting-edge tech- analyze data. nology to be effective in achieving these goals, it is also important to continue to pursue innovative approaches so Yet supervisory activities in many jurisdictions remain that supervisory authorities can fully leverage the benefits heavily reliant on manual processes. Unintegrated internal of technology. information-management systems and inflexible standard report templates also hinder the degree to which supervi- sors can identify and analyze risks in real time. And many SUPTECH FOR MARKET CONDUCT: 2.2   supervisory authorities also struggle to make effective use POTENTIAL USE CASES AND OUTCOMES of unstructured4 or qualitative data (such as information related to complaints, disclosure materials, annual reports, The demand for Suptech solutions among market conduct and so forth). Suptech solutions provide an opportunity supervisors is present and growing. To date, however, it for supervisory authorities to shift away from manual, unin- appears that relatively few private sector providers—includ- tegrated, “tick-box” processes to automated, real-time, ing Fintech companies and established technology service integrated, and “smart” supervisory processes. providers—have emerged to serve the unique needs of market conduct regulators and supervisors (Petrasic, Saul, Many Suptech solutions include an element of process and Lee 2016). Many of the basic tools used to under- automation, which enables the automation of manual, take market conduct supervision are similar to those used rules-based processes like inputting or processing data for prudential supervision, as both types of supervision across multiple platforms. An example of this would be a involve market monitoring as well as off-site and on-site data-pull system that allows a supervisory authority to inspections. However, the implementation of these tools automatically to access raw business data directly from an often differs—for example, in the type of data collected, FSP’s management information system at predetermined risks assessed, and corrective actions deployed. Market intervals and to aggregate the data into a set of indicators conduct supervision also typically includes a unique set and reports. A supervisory authority can also use process of tools, including monitoring FSPs’ treatment of individ- automation to integrate data from a range of sources (such ual customers, assessing the effectiveness of FSPs’ com- as monthly off-site supervision returns, financial ombuds- plaints-handling mechanisms, identifying anticompetitive man data, and credit bureau data) into a single report. practices, and monitoring suspicious transactions. Artificial intelligence offers further opportunities to improve As such, market conduct supervisory authorities face sig- the efficiency and effectiveness of market conduct supervi- nificant and at times unique challenges. First, the type of sion. Artificial intelligence tools can mimic human thinking, data required to monitor compliance with market con- including by automating the process of discovering and duct regulation is often unstructured and can come from testing hypotheses and extracting insights from data.5 For a wide range of sources. For example, in the case of example, artificial intelligence can be applied to discover financial consumer protection, a supervisory authority patterns of recurring friction points between providers may analyze unstructured complaints data from the FSPs under its jurisdiction, relevant alternate dispute-resolu- tion entities like financial ombudsmen (or a separate 4.  Unstructured data refers to information that does not adhere to complaints-handling function within the authority), as well a predefined structure (for example, numeric or categorical). Text is a common example of unstructured data—for example, a customer’s description of his or her complaint against an FSP. 5. The term artificial intelligence is used broadly in this note and For a broader discussion of artificial intelligence and machine 6.  covers such subfields as machine learning and natural language learning in financial services, see FSB 2017. processing. 4   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision as various media and social media sources. The unstruc- ities are pursuing a “test and learn,” or sandbox, approach tured nature of the data and diversity of data sources cre- to understanding consumer or market risks associated with ate challenges in data aggregation and analysis to identify a new provider, delivery channel, or product. potential risks to consumers and the market. Finally, many market conduct supervisors operate in Second, the complexity of the analyses undertaken by jurisdictions in which the regulatory or supervisory frame- market conduct supervisors is often due to its qualitative work for market conduct is not fully developed. This can nature. For example, a market conduct supervisor may result in insufficient resources, limited staff capacity, and have to determine compliance with principles-based reg- a lack of appropriate powers to undertake market con- ulation, such as whether a certain business practice is duct supervision. “fair” to the customer. The result is that effective market conduct supervision relies heavily on professional judg- How can Suptech support supervisory authorities in ment and the relationship between such judgment and addressing these and other supervisory challenges? Poten- data-driven analysis is not always straightforward. This tial use cases and outcomes include the following: aspect of market conduct supervision also raises the • Automated data collection: Suptech solutions can potential value of artificial intelligence applications to be deployed to improve the timeliness, scope, and lighten the burden of supervisory authorities in efficiently granularity of collected data and to reduce reliance filtering and analyzing such qualitative data, while main- on manual processes. Data-input and data-pull sys- taining control over supervisory judgments that are ulti- tems are two Suptech solutions that relieve FSPs of mately made. the burden of data aggregation; instead, an FSP’s raw data is shared with the supervisory authority. Exam- Third, the proliferation of new Fintech market entrants and ples in Austria and Rwanda illustrate these approaches. digital financial services adds further complexity to the (See box 1.) supervisory process, as digital financial services models can be accompanied by new sources of consumer risk (for Machine readable and executable regulation is another example, with respect to data privacy). This is particularly tool in which regulatory reporting requirements are relevant in instances where a robust market conduct regu- coded into a language that can be read and executed latory framework is not yet in place and supervisory author- by a machine. Supervisory authorities in the United BOX 2.1 Automated Data Collection in Austria and Rwanda Supervisory authorities in Austria and Rwanda have departments, and allows cost sharing of compliance developed Suptech solutions for automated data col- between the supervisor and industry. lection that can be leveraged for market conduct. The Austrian example represents a data-input approach, Another example is an automated data-pull system while the Rwanda example represents a data-pull developed by the National Bank of Rwanda to enable approach. supervisors to access raw data from supervised FSPs’ systems and then process the data into reports using The Austrian central bank, in collaboration with Aus- its own software. The system comprises an electronic trian banks, has developed an innovative data-input data warehouse to automate and streamline the regulatory reporting platform that provides a direct reporting processes that inform and facilitate supervi- interface between the IT systems of the central bank sion. The data warehouse permits the National Bank and banks. The platform allows banks to upload data of Rwanda to automatically “pull” data from the sys- in a standardized format, according to Austrian cen- tems of supervised entities, reducing the need for tral bank requirements and specifications. The central manually produced reports and improving accuracy bank can then transform the data into “smart cubes,” and consistency of data. The electronic data ware- or data sets, containing specific data and information house also facilitates daily automated data pulls for relevant for different departments within the Austrian certain types of data. This approach does however central bank. This new model ensures more consistent generate new concerns and challenges, including and higher-quality data, relieves banks from having those related to data privacy, operational risk, and to prepare different reports for different supervisory reputational risk. From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   5 Kingdom are actively exploring this approach, as such as social media posts, customer reviews, or con- detailed in box 2. sumer complaints. Advanced analytical tools can be deployed to detect spikes and trends in key market Such automated data-collection tools can represent conduct indicators—for example, to detect a rise in a the intersection of Regtech and Suptech, as both the certain type of potentially suspicious transactions. FSPs and the supervisory authorities are using the same Such Suptech solutions can enable accurate and timely technology. Automated data collection can yield a identification of risks to inform risk-based supervision, range of granular data, often in real time, create cost including for new Fintech market entrants and digital and temporal efficiencies for supervisory authorities, financial services. and free up staff resources from manual processes for tasks that require professional judgment. Automated • Platform and database integration: Integrated plat- data collection is an essential first step that can lead to forms can be useful tools for enabling data collection material time and cost savings and improve supervi- and validation between FSPs and supervisory authori- sors’ ability to monitor risks and trends. On the horizon ties, equipping examiners with relevant information are a number of other innovations being developed to during on-site inspections, and facilitating the resolu- improve the granularity, timeliness, and accuracy of tion of consumer complaints. Similarly, technology can data, allow more complex data analyses and risk assess- be leveraged to merge disparate, often “noisy” data ments, and facilitate real-time supervision of the finan- sets. As mentioned above, process automation can be cial system. leveraged to integrate a range of data (for example, monthly off-site supervision returns, financial ombuds- • Advanced data validation, analysis, and visualiza- man data, and credit bureau data) into a single plat- tion: Suptech solutions can be deployed to clean and form or data set. These platforms and data sets can analyze unstructured data, such as analysis of market- generate more efficient information flows across vari- ing materials or consumer agreements using natural ous stakeholders and ensure that supervisors have language processing. Sentiment analysis can be used access to the full range of data and information needed to analyze attitudes expressed in unstructured data for effective market conduct supervision. BOX 2.2 Exploring Machine Readable and Executable Regulations in the United Kingdom The Financial Conduct Authority and Bank of England cuted by the supervised entity. In addition to tempo- have begun exploring the potential for machine read- ral and cost efficiencies, MRER offers the potential able and executable regulations (MRERs), including to remove some level of ambiguity from the inter- through a TechSprint event hosted in November 2017. pretation of regulatory rules and generate automatic Creating an MRER means coding a regulatory require- reporting based on those rules. ment into language that can be read and executed by a machine. During the TechSprint event, partici- As noted in a subsequent paper prepared by Immuta pants successfully coded a small subset of report- and the Yale Law School (Burt et al. 2017), MRER can ing rules from the Financial Conduct Authority hand- be scaled either by focusing supervisory resources on book into a language that machines can understand validating MRER developed by supervised entities or and execute by pulling the relevant information by generating such code themselves. The paper also directly from the supervised entity. Participants also highlights a range of risks inherent in MRER, including successfully simulated a rule change in the handbook incorrect interpretation, errors in the code base, lack in real time. The change was then automatically exe- of flexibility, and opportunities for abuse. 6   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision FIGURE 1: Suptech Conceptual Framework Potential Suptech use cases Automated data- Advanced data validation, Platform and Data management collection processes analysis, visualization database integration and storage (use of data-pull or (cleaning and analysis (examiner dashboards, (use of cloud computing data-input systems; of unstructured data; workflow tools, merging to store big data) machine readable and identification of spikes disparate data sets) executable regulation) and trends) Potential Suptech supervisor-level outcomes Improved scope, Enabling/enhancing More efficient use More efficient information accuracy, consistency, risk-based supervision of resources flows between providers and timeliness of (better identification and (reallocation of staff away and supervisors, between collected information measurement of risk) from manual tasks) consumers and supervisors, and across supervisors Potential Suptech impacts Larger share of financial Improved consumer Improved conduct Better value for limited sector under outcomes (better of providers government resources supervision protection, increased confidence in market) • Data management and storage: Supervisory authori- nology tools with a sound supervisory approach.8 The ties must store efficiently and safely ever-increasing “Sup” and “Tech” components should form a feedback volumes of data. Cloud computing solutions can help loop, where the appropriate supervisory approach drives to manage and store “big data,” enabling convenient the scope and form of Suptech solutions, and the technol- on-demand network access to a shared pool of config- ogy helps to develop a more robust supervisory approach urable computing resources (such as networks, servers, over time. These interactions are highlighted through the storage facilities, applications, and services) that can case examples in section 3. be rapidly released with minimal management effort or FSP interaction. SUPTECH IN PRACTICE: MARKET 3  Figure 1 provides a conceptual overview of examples of CONDUCT CASE STUDIES FROM Suptech use cases and potential outcomes for supervi- THREE COUNTRIES sors, along with potential overall impacts on supervisors, providers, and consumers.7 The Suptech case studies below describe technology solutions used by three supervisory authorities with differ- While Suptech solutions have the potential to improve the ent regulatory and supervisory structures, size and geo- outcomes and impacts of supervisory activities, such graphic spans of remit, and risks addressed. These include enhancements are beneficial only to the extent that they the U.S. Consumer Financial Protection Bureau (CFPB), facilitate a deeper understanding of risks, better decision the Bank of Lithuania, and the Central Bank of Brazil. It is making, and more efficient use of supervisory resources. worth noting that while the U.S. retail financial services Thus, a critical aspect of Suptech is the need to pair tech- Other use cases, outcomes, and impacts are possible depending 7.  As described in BCBS 2012, supervisory authorities should have a 8.  on the country context and specific applications of the technology supervisory approach comprising a methodology for determining solution. and assessing on an ongoing basis the nature, impact, and scope of risks, and processes in place to understand the risk profile of FSPs. See Core Principle 8. 6 From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   7 market is much larger than that of Lithuania or Brazil, all affiliates10 and tens of thousands of nonbank FSPs, the three supervisors face similar supervision challenges, CFPB quickly identified a need for an effective, cost-effi- especially in that each supervisory authority’s ambit covers cient, and consistent way to identify and address con- far more FSPs than its staff can feasibly supervise on a sumer risks. consistent and active basis. Technology solution • Case studies 1 and 2 highlight the implementation of Suptech to enable the use of complaints data collec- One of the CFPB’s Suptech solutions to identify and tion and analysis to enhance market conduct supervi- address consumer risks begins with the use of a customer sion, discussing technology implementations by relationship management (CRM) system that serves as an regulators in the United States and Lithuania. The two online platform to facilitate the complaints-handling pro- supervisory authorities are at different stages of cess between consumers and FSPs.11 CRM systems are implementing and leveraging such technology, and common in many industries (for example, sales, hospital- the country examples are useful in both showing, and ity) and, in this case, provide financial consumers with a contrasting, their experiences and where they are consistent user experience when submitting complaints heading. Although resolving consumer complaints and receiving responses across a number of FSPs.12 The and disputes is not a supervisory activity of itself, the CRM is managed by the bureau’s Office of Consumer collection and analysis of complaints data make up an Response (Consumer Response). important component of a comprehensive supervi- sion program, such as for the purposes of generating Consumers submit complaints via the CRM on the CPFB’s indicators of heightened consumer risk. website using complaint forms tailored to specific prod- ucts. The consumer also submits a complaint narrative in • Case study 3 focuses on a Suptech solution created by which they describe the complaint or issue in their own the Central Bank of Brazil to facilitate remote market words. The completed complaint forms generate struc- conduct supervision. Importantly, the development of tured data, while the complaint narrative represents the technology allows the central bank to supervise a unstructured data. large number of nonbank financial institutions, and pro- vides a platform for expansion to other risk-based mar- Although consumers can also submit responses by phone, ket conduct supervision activities, including consumer mail, and so forth (CFPB staff members then input the protection. submissions into the CRM manually), 81 percent of com- Each subsection below outlines both the Suptech solution plaints in 2017 were submitted by consumers directly via and the supervisory approaches adopted, and how the the online CRM platform. Consumer Response manages the Suptech solution and the supervisory approach sup- these submissions along with those received from third port and inform each other. The case studies also describe parties (for example, from financial advisors, housing the implementation process taken by each supervisor and counselors, family members) and referrals from other the outcomes, challenges, and lessons learned. agencies (such as state attorneys general). Once a complaint is received, it is routed to the FSP via a CASE STUDY: U.S. CONSUMER FINANCIAL 3.1  secure company portal for response within 15 days. Most PROTECTION BUREAU complaints (97 percent) receive FSP responses within the 15-day period (CFPB, “Submit a Complaint”). The FSP’s Overview response (if received) and basic information about the The U.S. Consumer Financial Protection Bureau9 (CFPB) complaint (for example, the subject and date of the com- was established in 2011 as part of the package of post– financial crisis reforms contained in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act. One of CFPB 2017a presents a list of depository institutions subject to 10.  the primary mandates of the CFPB is to enforce consumer CFPB supervisory authority. The CFPB defines consumer complaints as submissions that 11.  financial law consistently across depository and nonde- express dissatisfaction with, or communicate suspicion of pository FSPs. With responsibility for insured depository wrongful conduct by, an identifiable entity related to a institutions with total assets above $10 billion and their consumer’s personal experience with a financial product or service. See CFPB 2017c, 60. The CFPB does not directly resolve complaints or provide recom- 12.  mendations for their disposition. Rather, the bureau facilitates the process via the CRM and by encouraging FSPs to respond in a The statutory name is the Bureau of Consumer Financial 9.  timely manner. The CFPB also does not verify all the facts alleged Protection, as per the Dodd-Frank Wall Street Reform and in these complaints, but it does take steps to confirm that a Consumer Protection Act. commercial relationship exists. 8   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision plaint) are published on the CFPB’s public-facing Con- • Company profiles: Consumer Response produces sumer Complaint Database (CCD). With the consumer’s company profiles that outline the complaint trends for consent, the CFPB also publishes an anonymized version specific FSPs. Such profiles include information on the of the customer’s complaint narrative. issues complained about most frequently and trends over time. These are typically produced in advance of An output of the CRM is the CCD, which contains real- on-site examinations. time structured and unstructured data on consumer com- • Company reports: Consumer Response produces plaints sent to FSPs for response and FSP responses. The company reports that analyze the timeliness, accuracy, CCD provides financial sector stakeholders (including and completeness of an FSP’s complaints response, as other financial sector regulators and state attorneys gen- compared with its peer group. eral) with a resource for identifying emerging trends in consumer risks. • Access portals: The CRM also has several specialized portals to facilitate access by various internal and A public version of the CCD is also posted to the CFPB’s external stakeholders. There is a secure consumer por- website and updated regularly. Aggregate complaints tal, a secure company portal, a secure portal for other data can be downloaded as either a comma-separated financial sector regulators (in the event that a com- value (.CSV) or Javascript Object Notation (JSON) file, or plaint is outside the jurisdiction of the CFPB and needs a subset can be downloaded (for example, all complaints to be forwarded to relevant authorities), and a secure for a specific product) by filtering the full data set and portal for congressional offices. exporting the results. The public can also export the data using the CFPB’s Open Data application programming The process to determine the annual examination sched- interface (CFPB, “Consumer Complaints”). ule is an area where complaints data provides a critical resource.13 The CFPB’s Reporting, Analytics, Monitoring, Interaction of technology solution with supervisory Prioritization and Scheduling Team is tasked with taking a approach data-driven and risk-based approach to developing the annual examination schedule. The CFPB’s risk-assessment The CFPB supervision function relies on analysis of avail- process focuses on specific product lines—known within able data about the activities of the entities it supervises, the CFPB as institution product lines—rather than on the the markets in which they operate, and risks to consumers FSP itself, in order to foster a level playing field and con- posed by activities in these markets. The real-time data in sistent approach between nondepository institutions the CCD helps to trigger early warning systems and iso- (which are often monoline) and depository institutions late trends by product, provider, or geographic area, (which usually have multiple lines of business).14 The enhancing the risk-focused nature of the CFPB’s supervi- risk-assessment process is achieved through a supervision sion planning and oversight. prioritization framework containing four inputs across the following two categories (CFPB 2013b): Consumer complaints inform the following useful resourc- es for the CFPB supervisors: Product markets • Customer Complaints Database: Consumer com- • Market size: the relative product market size in the plaints are available to a range of stakeholders in vari- overall consumer finance marketplace ous forms. In addition to the public-facing CCD, there are internal versions that are used by supervision and • Market risk: the potential risk to a consumer from new enforcement teams to analyze the data for their own or existing products offered in the market purposes, including as an input to the risk matrix that Institution product lines informs the annual examination schedule and for mar- ket monitoring reports. • Institution product size: an entity’s market share or level of activity within a product market • Spikes and trends: The “spikes and trends” tool is an advanced data analysis tool that flags short-, medium-, • Field and market intelligence (FMI): other relevant and long-term changes in complaint volumes in daily, information about a supervised entity weekly, and quarterly windows. Importantly, the tool works regardless of company size, random variation, general complaint growth, and seasonality. Reports Institutions are not on a regular exam cycle. 13.  This aligns with CFPB’s objective of ensuring that consumer 14.  based on the tool are distributed to a range of super- financial laws are enforced consistently across the market, with- vision and enforcement teams within the CFPB. out regard to business structure, type of charter, or location. From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   9 Complaints data is an important input into this process, sumers, minimizing potential harm to consumers and fur- along with a range of other resources.15 In particular, com- ther risk of exposure for the company (CFPB 2017b). plaints data is a principal input into the quantitative com- ponent of the FMI risk score.16 The FMI captures potential Complaints data are shared regularly with other regula- consumer risks—including business, operational, and tors—including federal prudential regulators and state compliance—posed by an institution’s provision of ser- financial sector authorities—via a secure government por- vices in a consumer market (excluding size). Complaints in tal. This secure portal includes more information than the a given institution product line are scaled for size and public-facing website. The CFPB does not create regular, ranked by severity (high severity, medium severity, and customized reports for different regulators, but it does low severity). A concentration of high-severity complaints respond to ad hoc requests from regulators and other is used as a proxy for higher risk in the quantitative FMI government institutions, generally within two days. risk rating, which then is factored into the overall FMI risk rating and finally into the overall risk-tier rating. The CFPB’s Office of Enforcement draws from complaints data as well as market monitoring, supervision, and exter- Although the CFPB establishes an annual exam sched- nal sources, such as other federal and state regulators and ule, the process is dynamic. Supervisors are able to consumer groups, to identify which cases to pursue. This access real-time CCD data to help them respond to process is reactive based on evidence of consumer harm. emerging risks as they appear throughout the year. For Cases are selected based on the egregiousness of the example, a spike in complaints for a given institution case, number of customers harmed, and resources avail- product line (as flagged by the “spikes and trends” tool able to pursue. Enforcement staff members are able to and analyzed within a “spike and trend” memorandum) access the complaints data and conduct their own may result in the modification of the annual examination searches and to share reports with other divisions and reg- schedule or other forms of supervisory actions to include ulators, such as the U.S. Federal Trade Commission.17 the relevant FSP. The CFPB publishes a number of analyses on the com- Examiners are also able to access complaints data— plaints data. For example, a monthly complaints report including while on-site during an examination—via an summarizes complaints data trends by product, state, and internal online dashboard, which provides more dynamic company.18 The report also typically includes a “product and timely information than regular, static reports. The spotlight” (for example, debt collection) and a “geo- CFPB is in the process of integrating this dashboard with graphic spotlight” (such as Florida). The CFPB publishes other tools used by examiners. the annual Consumer Response Annual Report, which summarizes consumer complaints by product.19 Finally, The “spike and trend” tool is also an effective early warn- the CFPB reports semiannually to Congress and the pres- ing system that helps the CFPB to engage with companies ident; the report typically includes an analysis of com- outside the examination schedule structure. For example, plaints data.20 in one instance, the examination team reviewed com- plaints associated with a spike in complaint volume and Implementation process immediately reached out to the company to inform senior As a new organization, the CFPB’s Office of Consumer management and discuss consumers’ concerns. The Response looked to the experiences of other regulators CFPB was able to engage senior managers before they to understand the types of complaints to expect, and it were aware of the matter through their own internal pro- used available complaints data to inform its phased roll- cesses. The company quickly developed and imple- out of complaints handling by product (CFPB 2013a). mented a plan to correct the issues, provided accurate information to customer service representatives, and The CRM was initially developed by an external vendor, developed a refund policy and process for affected con- following an internal conceptualization by the CFPB. The In addition to drawing from complaint statistics, supervision staff 15.  members synthesize information from a wide range of other The U.S. Federal Trade Commission (www.ftc.gov) also has 17.  internal and external sources, including (i) directly from the enforcement authority for certain consumer financial products institution and through monitoring and examination activities; (ii) sold by nonbanks and functions similarly in a reactive enforce- various CFPB market research, policy, consumer response, ment mode based on complaints and referrals. The CFPB and education, and subject matter (for example, Fair Lending) offices FTC share enforcement responsibility for a few products under a and divisions; and (iii) other state and federal regulatory memorandum of understanding (Memorandum 2012). agencies. See example at CFPB 2016. 18.  16.  There is also a qualitative component. See example at CFPB 2018. 19.  See example at CFPB 2015. 20.  10   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision CRM was developed and launched under intense time Law on Consumer Protection further provides BoL with pressure in less than 60 days. More recently, the CRM has the authority to handle complaints as well as settle dis- been migrated to another system in order to integrate putes between consumers and FSPs.21 To support these with the broader IT system of the CFPB. mandates, in 2016 BoL introduced an electronic system to enhance its complaints-handling and dispute-resolu- The CFPB phased in its complaints handling for the prod- tion activities and to capture complaints data more effec- ucts and services under its authority gradually over time: tively for incorporation in its supervisory work. Prior to credit card and mortgage complaints in 2011; bank the introduction of this system, all consumer submissions accounts and services, private student loans, consumer were communicated via post, by e-mail, or in person at loans, and credit reporting in 2012; money transfers, debt the BoL. Information relating to the complaints and dis- collection, and payday loans in 2013; prepaid cards, credit putes was then captured and analyzed largely through repair, debt settlement, pawn and title loans, and virtual an onerous manual process. This made it difficult to keep currency in 2014; and federal student loan servicing in track of dispute-resolution deadlines and decisions and, 2016. As of July 20, 2017, the CFPB has handled approx- relevant for the discussion here, limited the timeliness imately 1.2 million complaints (CFPB website). and usefulness of such data for supervisory activities. Outcomes, challenges, and lessons learned BoL’s recently introduced electronic system now enables The scope and quality of the CFPB’s supervisory approach consumers to submit complaints and disputes online and has benefited as a result of its Suptech-supported allows BoL to store and track progress on the submissions approach to complaints data capture and analysis. The within a single database. Importantly, the data captured CRM provides an innovative platform to collect nearly by the electronic system is incorporated into BoL’s super- real-time data on consumer risks, which is used to inform visory risk assessments, at both the provider and the mar- risk-based supervision and enforcement activities. Internal ket level. Although the system is still in the early stages of tools (for example, dashboards) have also improved the implementation, it has already begun to improve the effi- flow of information within the CFPB and create an effec- ciency and effectiveness of BoL’s supervisory processes. tive platform to facilitate the complaints-handling process For example, it informed a recent decision to undertake a between consumers and FSPs, which is an important ele- thematic review of a particular product category. ment of financial consumer protection. Technology solution An ongoing challenge common to any jurisdiction with The electronic system is made up of two components: an multiple regulators is enabling timely and accurate infor- online complaints and disputes submission platform mation sharing between different agencies. Memoranda hosted on BoL’s website, and an internal electronic data- of understanding establish a common understanding base that stores relevant documents and decisions relat- and process, but better technology interfaces, such as ing to a case. (See figure 2 for an illustration of the system.) application programming interfaces, improve this flow. The online submission platform allows consumers to Sharing information between different regulators raises lodge a complaint or dispute application directly through customer and FSP privacy and confidentiality issues BoL’s website using an electronic signature (BoL 2017a). under U.S. regulations, however, so a balance needs to be achieved. Once a consumer’s application has been submitted via the online platform, it is automatically matched to the rel- Many countries lack the resources available to the CFPB, evant FSP’s record in the internal database.22 Complaints but this does not preclude development of a basic yet and disputes that are not submitted online (those that are robust system in a smaller country. Case study 2 explores submitted, for example, via e-mail or through the post) a more streamlined yet effective approach to leveraging are scanned and manually uploaded into the internal complaints data to inform market conduct supervision. database. The consumer complaint or dispute application is then assessed by staff in the Financial Services and Mar- kets Supervision Department to determine whether it 3.2 CASE STUDY: BANK OF LITHUANIA 21.  Complaints are considered to be violations of consumer rights Overview related to noncompliance with laws and regulations applying to The Bank of Lithuania (BoL) supervises close to 500 FSPs FSPs. Disputes are defined as breaches of contractual obligations between consumers and FSPs. and has a mandate to undertake both prudential super- 22.  The internal database also stores all other relevant information vision and market conduct supervision (BoL 2017b). The relating to an FSP, including licenses. From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   11 FIGURE 2: Bank of Lithuania’s Electronic Complaints System Case information captured Case resolved and information used Customer complains . . . in database for supervisory activities . . . via online platform Resolution decisions (sanctions or recommendations) Consumer application recorded in database routed directly to electronic database Market Conduct Complaint Unit Consumer application E CAS TION review RMA Dispute Dispute Dispute . . . via phone, post INFO or email Resolution Resolution Unit Committee DAT A Risk assessment FSP risk rating DAT exercise A Product or Quarterly or annual service rating statistics publication Consumer application scanned or transcribed and uploaded to the electronic database relates to a complaint or a dispute, and the case is then BoL expects that increasing the amount of qualitative data routed to either the dispute-resolution unit or the com- captured through the system allows it to better assess plaints-handling unit. both FSPs’ regulatory compliance and how fairly they treat their consumers. Data and findings resulting from complaint investigations are sent to the heads of divisions within the Financial Ser- Interaction of technology solution with supervisory vices and Markets Supervision Department. This data is approach then used to determine whether an inspection should be BoL has adopted a risk-based approach to market con- conducted or other administrative sanctions should be duct supervision—that is, resources are allocated toward applied to a particular FSP. For dispute investigations, find- more significant financial market participants or toward ings are submitted to the Dispute Resolution Committee— financial services and products posing the highest risk to comprising members from five different divisions within consumers (BoL 2017b). An annual risk-assessment exer- BoL—which issues nonbinding recommendations to con- cise is carried out to plan for on-site inspections of FSPs, sumers and FSPs. All activities and decisions relating to the as well as for thematic reviews of particular financial ser- complaint or dispute are stored in the internal database. vices and product types. However, inspections can be accelerated during the year when there are indications of The database then allows the generation of risk profile increased risk, including risks to consumers. reports for specific FSPs. The reports are made available to supervision department staff not only on an annual As part of its risk-assessment exercise for FSPs, BoL has basis for FSPs judged of most significance, but also on created a risk matrix that categorizes FSPs into four cat- request for other FSPs. Complaints data is analyzed to egories based on a number of indicators, including the identify weaknesses and risks arising from FSPs’ activi- institution’s size, systemic importance, uniqueness, and ties and processes, including at individual stages of the other quantitative and qualitative indicators. While this product life cycle, such as product oversight and gover- exercise covers mainly traditional prudential risks, BoL nance, product sales, information disclosure, and so on.   11 12   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision FIGURE 3: Scope of Risk-Assessment Exercise for FSPs ing. For example, BoL is planning to incorporate addi- tional analytical tools in the system to enable the supervision teams to engage better with the data stored in the database for their supervisory activities. A. The overall management structure and risk management framework BoL is also working to modify the system to allow consum- B. Business and risk strategy ers and FSPs to track progress of their complaint and dis- pute cases.23 While the electronic system has enabled BoL C. Holistic self-assessment to increase the efficiency of its consumer complaints and dispute-resolution processes, only 25 percent of com- plaints and disputes are currently submitted online. BoL is D. Risk factors & risk profile thus working to increase awareness of the online submis- sion platform, and it is hoped that greater use of the E. Risks for consumers online submission platform will be encouraged by pro- posed upgrades to the system that will enable consumers and FSPs to track progress of their cases directly. Source: Bank of Lithuania While BoL’s technology implementation is ongoing, its is increasingly using data generated by the electronic experience shows that by building on existing technology, database—for example, the number of complaints levied supervisory authorities can begin to generate useful data against an FSP—to inform the risk rating of FSPs from a and information that can assist in identifying and respond- market conduct perspective. (See figure 3 for the range of ing to consumer risks in a timely manner while better man- risks considered.) aging staff and other supervisory resources. For BoL’s risk assessment of financial services and product types from a market perspective, the bank relies almost 3.3 CASE STUDY: CENTRAL BANK OF BRAZIL entirely on statistics from the electronic database. This risk assessment does not necessarily take into account Overview the size or systemic importance of FSPs; rather, it focuses In 2011, the Central Bank of Brazil (BCB) identified a on the risks posed to consumers based on the complaints need to develop and implement a risk-based AML/CFT levied against particular financial products. Once a high- supervision approach for the Brazilian bank and nonbank risk financial service or product type is selected, on-site financial institution (NBFI) sector.24 This was due to a inspections are then carried out across providers of the number of internal and external drivers, including recog- selected financial products, regardless of the size of the nition of the need to capture the risks in this sector bet- institution. ter to ensure a sound and safe national financial system, and to align more closely with international recommen- Outcomes, challenges, and lessons learned dations and best practices. However, a key challenge BoL made the decision to develop the electronic com- facing BCB was the limited resources to oversee the plaints and disputes system as part of a broader internal large number of banks and NBFIs (more than 1,600), strategy to minimize the number of platforms and to inte- which were heterogeneous and located over a vast geo- grate different systems within BoL better. After weighing graphical area. BCB therefore recognized that its super- the option of purchasing an off-the-shelf system versus vision program would require enhanced technology developing the system in-house, BoL determined that the paired with a sound risk-based methodology to accom- in-house option would better achieve their overall objec- plish its goals. tives. The system was developed over 10 months by BoL staff and is based on an Oracle database and the Micro- soft SharePoint system.  ommunication to consumers and FSPs is currently done through 23.  C stated preferred channels—that is, by e-mail or via the post. From a supervisory perspective, BoL has identified bene- In the Brazilian context, NBFIs include credit and deposit-taking 24.   fits resulting from use of the recently implemented sys- financial institutions, such as consumer finance institutions, tem. They include more granular analyses and speedier securities and exchange brokerage institutions, security distribution institutions, leasing companies, microfinance completion of such analyses. However, work on enhancing institutions, development agencies, mortgage companies, the electronic database and the tools it supports is ongo- payment institutions, and credit unions. From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   13 Technology solution FSP. Final supervision reports are generated automatically, BCB’s Integrated System for Supervision Support and using all the information that was input into the system. Communication (SisCom) is a web-based system that These functions have increased the transparency, consis- allows easy and secure sharing of information. It is a tency, and efficiency of the supervision process. communication platform that supports a process for col- lecting data and documents through a web portal and The system also allows forms to be customized and stan- for interacting online with even hard-to-reach FSPs in a dardized, such as information requests to be sent to FSPs cost-effective way; it also enables inspectors to carry out as part of the supervision and examination procedures remote supervision. The data collected is mostly qualita- followed by inspectors. For example, a preloaded form tive (for example, FSPs’ governance, systems, and con- tailored to a specific NBFI sector and topic, such as an trols to mitigate the AML/CFT risks), but it can also be AML/CFT review of a foreign exchange broker, could be quantitative as relevant to assess risks and controls. The automatically sent by the system. Each individual NBFI information is collected using questionnaires and forms completes and uploads the forms within a certain number developed by supervisors to collect detailed information of days as specified by BCB. and uploaded documents, according to the supervisory activity that has been planned. (Figure 4 shows levels/ Interaction of technology solution with tiers of risk-based inspections.) supervisory approach The data collected by SisCom feeds into a methodology SisCom does not analyze or validate all data submitted by that allows BCB to segment and supervise banks and banks and NBFIs automatically, although part of the infor- NBFIs by different risk categories. Inspectors use the sys- mation is validated by the supervisors using other internal tem to record the analysis, documentation, and conclu- and external systems. Besides collecting data, the system sions. The quantitative and qualitative data are processed facilitates the full supervisory process, such as creating for- and analyzed by the supervisors to provide them with two mal letters and information requests that are automatically different perspectives: (i) level of compliance with specific sent to FSPs25 and managing the follow-up process by the regulatory requirements, and (ii) risk assessment, using a rating categorization, based on the risk-based methodol- ogy. In case the provider needs further documents and  tandardized, formal letters and information requests are 25.  S clarifications, the system provides the supervision team manually created by supervisors in the system and are then automatically replicated and sent to all FSPs, increasing with a “chat box” tool to interact easily and quickly with efficiency in the supervisory process. the FSP (available for any type of inspection). FIGURE 4: Central Bank of Brazil’s Conduct Risk Framework for NBFIs 10 9 On-site Direct Inspection (IDP) 8 Internal controls deficiency 7 Remote Direct Inspection (RDP) 6 5 Remote Compliance Inspection (RDP) 4 3 Conduct Continuous Monitoring (ACC) 2 1 0 0 1 2 3 4 5 6 7 8 9 10 Inherent risk 14   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision BCB defines four levels or tiers of risk-based inspection Figure 5 shows the workflow, based on the tiers of risk- (see figure 4), and it is possible to use SisCom to collect based inspection and the use of SisCom at each step. the following data for any inspection tier, as needed. Internal control deficiencies are assessed during the remote compliance inspection, in which inspectors apply 1. Remote compliance inspection: All low and medium risk assessment parameters and use the system to attri- AML/CFT-risk banks and NBFIs undergo this basic bute ratings to each control element by FSP.26 Ratings remote inspection, which provides an initial overall risk range from 1 to 4, with a rating of 1 indicating good inter- appraisal based on compliance risk and controls for nal controls and 4 for very deficient internal controls. The each element. inherent risk is assessed in the risk matrix (figure 4), using 2. Remote direct inspection: A more focused, in-depth the same rating system, in which 1 is low and 4 is high remote inspection, this type of inspection aims at cov- inherent risk. A combination of high inherent risk and high ering specific issues in more detail, depending on the deficiencies in internal controls would plot the FSP in the initial risk assessment. It would still be undertaken red area of the graph shown in figure 4, indicating the remotely, using the system to collect and structure the need for increased supervisory attention, including for information. For this purpose, specific information on-site inspections. requests and examination forms would be appropri- ately tailored. Implementation process 3. On-site direct inspection: This inspection includes While the need for technology to support the aims and some remote aspects but will be undertaken mainly activities outlined above was clear, BCB had to decide on-site, generally in cases in which the perceived risk is whether such technology should be acquired from a ven- higher. dor or developed in-house. Based on previous experi- ence, BCB decided the best approach would be to 4. Continuous monitoring: This in-depth on-site inspec- develop the software in-house. Key factors on which this tion covers the most relevant banks in terms of money- decision was based included the lengthy lead time (esti- laundering risk (among which are systemically import- mated at 10 months) that would be required to contract ant financial institutions) by continuously assessing cor- for a project of this size and scope, the difficulty in finding porate governance, risk management, and compliance. an existing product that met their specifications, and the BCB reports that the automation of the risk assessment, using 26.  the system to attribute rates, is to be developed. FIGURE 5: Central Bank of Brazil’s Conduct Inspection Workflow for NBFIs Other sources of data / information AIR—follow-up SisCom ICR—Remote inspection SisCom SRC—Financial institution rating Risk matrix (banks) SisCom SisCom IDR—Deeper IDP—On-site remote inspection inspection SisCom SisCom Source: Central Bank of Brazil From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   15 fact that BCB had capacity to do so. Designing and devel- infrastructure of the country and FSP readiness for such a oping the software in-house offered substantial cost sav- system, as well as a phased implementation process. ings and allowed for customization, permitting the system to be aligned with the supervisory methodology also in At the beginning of 2018, BCB began migrating SisCom development in parallel with the system. to a new platform, the Automated Supervision Process (APS), which unifies the various supervision applications The development process was a close collaborative used by BCB and integrates them with other systems effort between the IT and supervision departments, within BCB. The aim of the APS project has been to (i) requiring a commitment of six staff members and more provide a unified view of supervisory information, (ii) than two years’ time for the design, development, and improve the sharing of information, (iii) ensure the secu- initial implementation. The close involvement of supervi- rity of information, (iv) streamline and increase the pro- sion staff in the design of the system resulted in a fairly ductivity of the supervisory process, (iv) enhance the smooth implementation process. BCB conducted train- management of the supervisory team and activities, and ing for external users at the beginning of each round of (vi) lower compliance costs to FSPs. It is expected that by supervision, by bank and NBFI sector. The new supervi- the end of 2018 all communications with FSPs will be sory approach and how to use the system was explained, undertaken using the APS and that the majority of keeping in mind that different users have different access inspections and follow-up activities will be managed levels, according to their profiles in the system. For through the APS. example, the FSP’s internal audit department accesses different forms than compliance officers. Additionally, a help desk was created to provide clarification and techno- 4 CROSS-CUTTING CONSIDERATIONS logical assistance tailored to the different financial indus- try sectors, some comprising over 100 providers. The case studies outlined in section 3 highlight how Supt- ech solutions can be leveraged to improve market con- Outcomes, challenges, and lessons learned duct supervision processes in different jurisdictions. In SisCom was considered a successful solution to BCB’s particular, the case studies illustrate that Suptech use challenge of launching a new supervisory program for a cases and outcomes are possible regardless of the size or large and unfamiliar sector with diverse risk profiles. By maturity of the jurisdiction. using technology to improve data collection and com- munication, BCB was able to allocate scarce supervisory While both the CFPB and BoL use technology to leverage resources more appropriately where risks are elevated. the collection, validation, analysis, sharing, and dissemi- The operational needs of a sound underlying methodol- nation of complaints data, they have, importantly, focused ogy were respected during development of the technol- the development of their technology solutions on inform- ogy, allowing for a process that provides a systematic ing and enhancing supervisory approaches, rather than and transparent means of fulfilling the AML/CFT over- designing the supervisory approach around the technol- sight mandate. ogy tool (which could result in a less effective response to relevant risks and the supervisory context). Given the successful experience with AML/CFT, supervi- sors responsible for consumer protection and other BCB These advances within the CFPB and BoL have improved supervision departments started implementing SisCom to the quality, consistency, and timeliness of complaints data, increase efficiency in their supervisory processes. This was expanded the scope of data-collection efforts to meet possible because the system was developed to be flexible an evolving mandate, more efficiently allocated staff and customizable. resources, and improved the flow of information between FSPs, consumers, and supervisors and (in the case of the A key challenge related to the fact that the technology CFPB’s Open Data application programming interface) solution was designed in parallel with the development of allowed for more widespread dissemination of data in the a new supervisory approach and workflow process, rather financial sector. than to support an existing process. This resulted in a pro- longed test-and-learn process in which both the technol- BCB’s case similarly highlights a use of Suptech that has ogy solution and the workflow process were being jointly resulted in improved data collection in a cost-effective developed and revised. way, and better analysis of risks and trends based on that data. Since its launch, the technology platform has Another challenge was a low level of technological capac- achieved a number of important outcomes: improved ity at some of the FSPs. So an important consideration is quality, consistency, and timeliness of data, expanded 16   From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision scope of data collection, more efficient allocation of staff Capacity of Supervisors resources, and better flow of information between FSPs An important consideration when acquiring or developing and supervisors. BCB has consequently been able to Suptech solutions is the readiness of supervisors at every increase the share of the financial sector it has supervised level of the organization to be able to use and administer in a cost-effective, risk-focused manner. such technology. Defining initial business workflow and data needs, pilot testing new software, conducting initial In developing and implementing supervisory approaches and ongoing training, and fostering a positive culture of supported by Suptech, supervisory authorities will need to innovation should be encouraged so that management take into account a range of novel or changed consider- and staff understand and benefit from technology ations and risks, resulting from factors such as digital data enhancements while appreciating the new risks and collection and analysis, and automation of procedures. demands that come with it. Top-level managers do not Some of the most critical are discussed below, which also need to understand programming and other technical include forward-looking considerations not explicitly aspects of a proposed Suptech solution, but they should addressed in the case studies. have sufficient knowledge of the outcomes of such solu- tions in order to make sound decisions regarding pur- Technology as a Tool rather than a Supervisory chases, customization, and upgrades. This is important to Approach ensure that Suptech investments are appropriate to the Suptech solutions for market conduct supervision are needs and resources of the supervisory authority. Supervi- most effective when designed as a tool to enable a sors may want to consider developing a formal technol- well-developed supervisory approach. While supervisory ogy strategy to ensure that the proper systems are in authorities should leverage the opportunities provided by place and that staff skills are sufficient to implement and technology to improve supervisory approaches and pro- manage new technologies. cesses, the parameters of the Suptech solution should not be the key determinant of the supervisory approach. In Another key area is the capacity of the supervisor to shift short, supervisory authorities should not settle for being from compliance-based supervision to risk-based supervi- passive adopters of tools and solutions designed by sion, a shift that can be enabled by Suptech solutions. external vendors or internal IT staff. Rather, as far as prac- Risk-based supervision typically requires greater applica- ticable, supervisory authorities should push for technol- tion of professional judgment. For instance, Suptech solu- ogy solutions to be tailored to their supervisory and tions may provide new data or new analytical tools to organizational needs. Thus, in developing and refining inform a risk rating, but professional judgment is critical to their supervisory approaches, supervisory authorities validate and, in some cases, modify the risk rating (often should work toward identifying functional requirements within certain constraints). Professional judgment is also and nonnegotiable outcomes for any technological solu- necessary to determine the thresholds and analytical tions that are to support those activities. approaches to determine the risk rating in the first place. In such cases, it may be necessary to build the capacity of For example, in interviews conducted for the purposes of supervisory staff or to recruit staff with the requisite skills. this note, several technology service providers indicated that it would be possible to adapt their technology solu- Finally, in leveraging Suptech solutions for advanced data tions for market conduct supervision purposes. However, analysis, supervisory authorities need sufficient capacity to a constraint to developing such off-the-shelf products develop and refine the models onto which the Suptech remains the lack of consensus (both within individual juris- solution is deployed—for example, defining the question, dictions and globally) on appropriate metrics or indicators determining the measurement approach, generating the for market conduct supervision. This suggests that in appropriate data, and assessing the model’s accuracy. many jurisdictions, more work may be needed to develop a supervisory approach for market conduct before neces- Capacity of FSPs sarily seeking a Suptech solution that is automatically able Supervisory authorities will also need to assess FSPs’ to implement it. One ongoing initiative in this area is the capacity to adopt new technologies and interact with the work being done by the Organisation for Economic Suptech solutions being implemented by the supervisory Co-operation and Development Task Force on Financial authority. Significant lead time and training may be neces- Consumer Protection to develop a risk dashboard of pos- sary for less sophisticated FSPs to upgrade their systems sible indicators to monitor consumer protection risks. (See and staff skills and implement proper audit and controls OECD 2018.) so that data and reports are accurate and subject to ade- quate protections. In instances where a single technology From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   17 solution is used by both the supervisor and the FSP, dis- will be critical for supervisors who have greater access to cussions on appropriate levels of cost sharing may also be FSP data as part of monitoring and reporting processes, necessary. Finally, in instances where an FSP has a higher such as in the data-pull and data-input approaches. level of technological sophistication than the supervisory Supervisors should clearly define and follow secure access authority, consideration should be given to the risk that protocols to avoid placing customer and FSP data at risk, the FSP may be able to use the technology or capacity and use strong firewalls and systems to prevent unautho- gap facing the supervisory authority to its own advantage, rized access through external hacks or internal misuse. and to measures to be taken to mitigate such risks. Supervisors should carefully weigh decisions related to expanding access to data, so that privacy and security Operational Risk Management and Data Security risks are proportional to the value of fulfilling the supervi- At a broader level, policy makers will continuously need to sory mandate. assess the effect of technology on data security and pri- vacy so that an appropriate balance between innovation, Supervisors should also identify and address operational, efficiency, and data protection is maintained. Data protec- reputational, and liability risks inherent in greater access tion and privacy laws should be flexible enough to facili- to data. For example, a supervisory authority that gains tate innovative new ways of accessing data for supervisory real-time access to granular data of an FSP may be seen as purposes while protecting the privacy and security of this increasing its responsibility for not addressing misconduct data. Strong operational risk management and controls that could have been predicted from the data. REFERENCES BCB (Central Bank of Brazil) (website), http://www.bcb.gov.br. BCBS (Basel Committee on Banking Supervision). 2012. Core Principles for Effective Banking Supervision. Washington, DC: Bank for International Settlements. https://www.bis.org/publ/ bcbs230.pdf. ———. 2017. Sound Practices: Implications of Fintech Developments for Banks and Bank Supervisors. Washington, DC: Bank for International Settlements. https://www.bis.org/bcbs/ publ/d415.pdf. BoL (Bank of Lithuania) (website), https://www.lb.lt/en/. ———. 2017a. “Settle a Dispute with a Financial Service Provider” (web page), https://www.lb.lt/ en/dbc-settle-a-dispute-with-a-financial-service-provider. ———. 2017b. “Supervisory Activities” (web page), https://www.lb.lt/en/supervisory-activities. Burt, Andrew, Jeremy Aron-Dine, Eugene Kim, Catherine Martinez, and Xiangnong (George) Wang. 2017. “2017 Model Driven and Machine Executable Regulations Tech Sprint: Successful Criteria and Recommendations.” College Park, MD: Immuta, and New Haven, CT: Information Society Project, Yale Law School. https://www.immuta.com/download/recommendations-for- the-fca-and-boes-2017-model-driven-and-machine-executable-regulations-tech-sprint/. CFPB (Consumer Financial Protection Bureau) (website), https://www.consumerfinance.gov/. ———. n.d. “Consumer Complaints” (web page), https://dev.socrata.com/foundry/data.consum- erfinance.gov/jhzv-w97w. ———. n.d. “Submit a Complaint” (web page), https://www.consumerfinance.gov/complaint/. ———. 2013a. Consumer Financial Protection Bureau Strategic Plan, FY 2013–FY 2017. Washing- ton, DC: CFPB. http://files.consumerfinance.gov/f/strategic-plan.pdf. ———. 2013b. Supervisory Highlights. Summer 2013. Washington, DC: CFPB. https://files. consumerfinance.gov/f/201308_cfpb_supervisory-highlights_august.pdf. ———. 2015. Semi-Annual Report of the Consumer Financial Protection Bureau, April 1, 2015– September 30, 2015. Washington, DC: CFPB. http://files.consumerfinance.gov/f/201511_ cfpb_semi-annual-report-fall-2015.pdf ———. 2016. Monthly Complaint Report. Vol. 9 (March 2016). Washington, DC: CFPB. https:// www.consumerfinance.gov/data-research/research-reports/monthly-complaint-report-vol-9. ———. 2017a. “Institutions Subject to CFPB Supervisory Authority” (web page), https://www. consumerfinance.gov/policy-compliance/guidance/supervision-examinations/institutions/. 18 From Spreadsheets to Suptech: Technology Solutions for Market Conduct Supervision   19 ———. 2017b. Supervisory Highlights. Issue 15 (spring 2017). Washington, DC: CFPB. https:// s3.amazonaws.com/files.consumerfinance.gov/f/documents/201704_cfpb_Supervisory-High- lights_Issue-15.pdf. ———. 2017c. Monthly Complaint Report. Vol. 24 (June 2017). http://files.consumerfinance.gov/f/ documents/201706_cfpb-Monthly-Complaint-Report-50-State.pdf. ———. 2018. Consumer Response Annual Report, January 1–December 31, 2017. Washington, DC: CFPB. https://www.consumerfinance.gov/documents/6406/cfpb_consumer-response-an- nual-report_2017.pdf. FCA (Financial Conduct Authority). 2017. “RegTech” (web page), https://www.fca.org.uk/firms/ regtech. Fernández Espinosa, Luz. 2016. “10 Keys to Understand What Regtech Is All About.” BBVA (Banco Bilbao Vizcaya Argentaria) blog, May 23, 2016. https://www.bbva.com/en/10-keys- understand-regtech/. FSB (Financial Stability Board). 2017. Financial Stability Implications from FinTech: Supervisory and Regulatory Issues That Merit Authorities’ Attention. Basel, Switzerland: FSB. http://www.fsb. org/wp-content/uploads/R270617.pdf. IIF (Institute of International Finance). 2016. Regtech in Financial Services: Technology Solutions for Compliance and Reporting. Washington, DC: IIF. https://www.iif.com/publication/ research-note/regtech-financial-services-solutions-compliance-and-reporting. IRTA (International Regtech Association). n.d. “Supporting the Development and Adoption of Regtech.” IRTA blog, https://Regtechassociation.org/2017/04/20/supporting-the-develop- ment-and-adoption-of-Regtech/. Memorandum of Understanding between the Consumer Financial Protection Bureau and the Federal Trade Commission, January 20, 2012. https://www.ftc.gov/system/files/120123ftc-cf- pb-mou.pdf. OECD (Organisation for Economic Co-operation and Development). 2018. Financial Consumer Protection Risk Drivers: A Framework for Identification and Mitigation in Line with the High- Level Principles on Financial Consumer Protection. DAF/CMF/FCP/RD(2017)3/FINAL. Paris, France: OECD. https://one.oecd.org/document/DAF/CMF/FCP/RD(2017)3/FINAL/en/pdf. Petrasic, Kevin, Benjamin Saul, and Helen Lee. 2016. “Regtech Rising: Automating Regulation for Financial Institutions.” White & Case, September 26, 2016, https://www.whitecase.com/sites/ whitecase/files/files/download/publications/Regtech-thought-leadership.pdf. Toronto Centre. 2017. “FinTech, Regtech and Suptech: What They Mean for Financial Supervi- sion.” Toronto, Ontario: Toronto Centre. http://res.torontocentre.org/guidedocs/FinTech%20 RegTech%20and%20SupTech%20-%20What%20They%20Mean%20for%20Financial%20 Supervision.pdf. Woolard, Christopher. 2017. “The FCA’s Regional FinTech Engagement.” Speech delivered at Leeds Digital Festival, April 26, 2017. https://www.fca.org.uk/news/speeches/fca-regional-fin- tech-engagement.