Alexane Gille
LLM International Business Law at Paris-Panthéon-Assas University, Legal compliance specialist
The term “compliance” is gaining popularity around the world. What began as soft law has gradually become hard law such as France’s Sapin 2 law, the US Foreign Corrupt Practices Act (FCPA) and, more recently, France’s Duty of Vigilance law. Adhering to these rules is essential not only in a company’s operations but also in the continuous oversight of its suppliers and subsidiaries. As a result, regulatory compliance has become a fast-growing area of the law that plays a critical role across organisations, whether they operate in the financial sector or other industries.
Compliance regulations and sanctions against companies are becoming increasingly stringent and require constant vigilance from those subject to them. These regulations are constantly evolving to adapt to new realities and aim to ensure the transparency, consumer protection, data security and environmental protection that are essential to good governance. However, due diligence by companies is an ongoing process and meeting these regulatory requirements is a major challenge for companies, requiring significant resources in terms of time, money and people.
This is where the emerging concept of RegTech, or regulatory technologies, comes in. RegTech refers to the use of innovative technologies such as artificial intelligence, automation, data analytics and blockchain to help companies comply with regulatory requirements in a more efficient and flexible manner.[1] In this article, we will take a closer look at the role of RegTech as an innovative technology to address corporate compliance challenges (I), while examining its benefits (II) and future prospects (III).
- The challenges companies face in complying with regulations
Companies face several challenges in implementing regulatory compliance measures.
The first major challenge is the diversity and constant evolution of international regulations. As industries grow and become more specialised, they must implement rigorous compliance programmes that require coordination across multiple departments. In addition, standards vary from jurisdiction to jurisdiction, forcing international companies to adapt their operations in different countries to different standards.[2] Failure to do so may result in significant fines and reputational damage. For example, Goldman Sachs was fined $2.9 billion by several global regulators, including the US Department of Justice (DoJ), following the 1MDB money laundering scandal involving the Malaysian investment fund in 2020.[3] To avoid these problems, companies turn to consultants for advice on compliance. The situation becomes even more complicated when companies have to ensure full and continuous compliance with standards, particularly because of the international scope of these regulations. This requires adherence not only across all global operations but also within internal business units. From supply chain management and financial transactions to due diligence, corporate social responsibility (CSR) and non-financial reporting, these requirements make monitoring and fulfilling regulatory obligations particularly challenging.
The second major challenge is data management. Organisations that process data must ensure its security, confidentiality, and integrity, to meet regulatory standards, all while defending against cyber-attacks.[4] Regulatory compliance covers the entire data lifecycle — from collecting and storing to analysing vast amounts of sensitive data. In Europe, organisations need to comply with several regulations. For instance, the General Data Protection Regulation (GDPR) sets strict standards for the protection of personal data. On the other hand, the Directive on measures for a high common level of cybersecurity across the Union (NIS2) aims to strengthen the cybersecurity of critical infrastructure. For data transfers outside the EU, companies (usually a holding or parent company) can rely on standard contractual clauses as a ‘data protection passport’ or adopt Binding Corporate Rules (BCRs) to maintain consistent safeguards across their international subsidiaries. These measures are all the more necessary given the increase in data leaks, often resulting from insufficient precautions. For example, the public body ‘Pôle Emploi’, now ‘France Travail’, was the victim of a cyber-attack that compromised the data of over 43 million people. This case is still being investigated by the French National Commission on Informatics and Liberty (CNIL) to identify potential GDPR violations, with the risk of fines and class action lawsuits on the horizon.
The potential penalties associated with regulatory non-compliance, such as financial fines and reputational damage, or even criminal proceedings against managers, encourage the implementation of compliance policies. As a result, companies are increasingly turning to new technologies to reduce errors, automate processes and enable faster identification of risks and obligations. The technology behind RegTech enables companies to address some of the challenges they may face.
- The benefits of RegTech for companies
Using the Sapin 2 law as a benchmark for compliance, companies must implement policies, procedures, risk mapping, and due diligence measures. These actions can rely on automation and technologies such as RegTech, which enhance risk management.
RegTech makes it possible to analyse large volumes of data, streamline operations by automating repetitive tasks, and improve compliance through real-time monitoring and robust risk management. To mitigate the issues discussed in part (I), some firms have adopted systems that categorise their client’s needs using algorithms tailored to industry sectors and issue alerts when a risk situation is updated. OneTrust, for example, is a due diligence solution that allows companies to list their customers in a centralized database and identify critical red flags across multiple risk categories. This automated solution scores each third party according to the type and level of risk they pose to the company and automatically issues alerts when a high-risk situation arises for the company. As a result, organisations can better manage anomalies and suspicious activities, strengthening their ability to prevent regulatory breaches and fraud while adapting to evolving requirements and multiple international standards.
Indeed, the use of artificial intelligence combined with big data analytics can help identify and classify sensitive data, as well as manage user consent. This evolution simplifies compliance with the GDPR and the French anti-money laundering and counter-terrorism financing (AML/CTF) regulations.[5] Going back to OneTrust’s example, its RegTech cloud solution enables companies to comply with data protection laws like the GDPR while automating data analysis.
However, these AI techniques are not yet widely implemented, as they are still under development and need to be implemented gradually to minimise controversy, particularly in relation to ‘predictive justice’. It is therefore important to consider the potential impact of RegTech in the future.
- The outlook: RegTech at the service of regulators
In France, the ‘Sapin 2’ law of 9 December 2016 introduced significant reforms in the area of corporate regulatory compliance by putting in place mechanisms such as risk mapping, codes of conduct and an internal alert system. These improvements reflect the growing importance attached to regulatory compliance. In this context, RegTech is emerging as an essential tool for regulators to meet the challenges of due diligence and risk mitigation.
Various bodies and organisations can act as compliance regulators, depending on the industry and the specific risks faced by the company. However, these regulators often face resource constraints that limit their effectiveness. In this context, RegTech is emerging as a promising solution, offering innovative and technological means to help regulators overcome the barriers to supervision. By using new technologies to support regulators, they can fulfil their mission of overseeing the proper functioning of the financial market, protecting consumers, and ensuring data security.
Regulators can make use of whistleblowers, a concept developed by the American politician Ralph Nader. A whistleblower is an individual who reports reprehensible acts of corruption, fraud or public danger within their organisation to someone in a position to remedy the situation.[6] However, whistleblowers are often in a delicate position, holding sensitive information and risking significant social consequences such as social stigma, retaliation or loss of career opportunities.
This is where the concept of ‘whistlebots’ (or AI whistleblowers) could offer a new approach, as proposed by Vivienne Brand, assistant professor at UNSW University in Australia.[7] Unlike humans, whistlebots are unaffected by social repercussions (so far) and could provide an impartial perspective on compliance issues. However, the algorithms of these ‘whistlebots’ rely solely on objective, contextual data, which alone cannot eliminate unethical business practices. In fact, current AI models may perceive human subjectivity as risky or unpredictable, potentially favouring a different solution from the programmer’s original intention.[8]
Yet it is important to remember that ethics is a matter related to human nature and beliefs, despite its imperfections, and it should still play a fundamental role when it comes to compliance and scrutinising actions. Therefore, will the intervention of AI eliminate this human ethical aspect of decision-making and tend towards predictive and mathematical justice? For the moment, an intermediate solution is most likely to happen, and is the most effective, with a two-stage intervention involving both AI and subsequent human verification, in order to achieve this balance. What is certain, however, is that RegTech will play a crucial role in the future of regulatory compliance.
In summary, RegTech leverages new technologies to help companies fulfil their regulatory compliance obligations and effectively manage vast amounts of data and the risks associated with it. RegTech’s flexible framework not only strengthens internal management within companies but also enhances their national and international reputation. However, while RegTech offers powerful tools to improve efficiency, it cannot replace human judgement. For example, tools such as OneTrust’s alerts or whistlebot’s reporting systems can flag potential risks, but their ability to interpret these signals is currently limited, confining them mainly to risk detection rather than fully handling cases. It is therefore crucial to integrate human oversight into the decision-making process. Moving forward, close collaboration between legal professionals and technology developers will be essential to achieving effective and ethical regulatory compliance.
[1] ‘Qu’est-ce qu’une RegTech ?’ (Utocat, 7 July 2021)
[2] Jay McMahan, Michael Chau, ‘ Le défi des chefs de la conformité : gérer la réglementation croissante’ (Deloitte Perspectives)
[3] A. Ananthalakshmi and Rozanna Latiff, ‘Explainer: Goldman Sachs and its role in the multi-billion-dollar 1MDB scandal’ (Reuters Asian Markets, 12 October 2023)
[4] Sylvie Miet et al, ‘Les Regtech, un des métiers de la Fintech’ (KPMG France, 2019)
[5] Commission nationale des sanctions, ‘Le dispositive LAB-FT’, publications du Ministère de l’économie française
[6] ‘What is a whistleblower?’ (National Whistleblower Center)
[7] Vivienne Brand, ‘CORPORATE WHISTLEBLOWING, SMART REGULATION AND REGTECH: THE COMING OF THE WHISTLEBOT?’ (2020) 43(3) UNSW Law Journal
[8] Nizan G. Packin, Regtech, ‘Compliance and Technology Judgement Rule’ (2018) 93 Chi.-Kent L. Rev. 193.