Appendix B: Major Regulatory Frameworks Reference Guide

A practitioner's guide to the key regulatory frameworks that underpin RegTech compliance obligations. This appendix provides orientation-level summaries — not legal advice. For compliance decisions, consult the primary text and qualified legal counsel.

Last updated to reflect frameworks current as of early 2025. Regulations evolve — check primary sources for current requirements. Where articles are cited, these refer to the primary regulation text as published in the Official Journal of the EU or equivalent primary source.

EU Frameworks

EU AI Act (Regulation 2024/1689)

Full title: Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence Published: Official Journal, 12 July 2024 Entered into force: 1 August 2024 Phased implementation: Full application from 2 August 2026 (with earlier dates for prohibited practices and GPAI models) Regulators: National market surveillance authorities; European AI Office (for general-purpose AI); sectoral supervisors (e.g., EBA, ECB, ESMA for financial services AI)

Scope

The AI Act applies to: (a) providers placing AI systems on the EU market or putting them into service in the EU; (b) deployers of AI systems located in the EU; (c) providers and deployers established outside the EU where the output is used in the EU. Financial institutions using AI for credit scoring, AML, fraud detection, or customer service are likely deployers and, if they develop their own models, providers.

Key obligations

Prohibited AI practices (Article 5 — applicable 6 February 2025): - AI systems using subliminal or manipulative techniques to distort behaviour in ways that cause harm - AI exploiting vulnerabilities of specific groups (age, disability) - Social scoring by public authorities leading to unjustified detrimental treatment - Real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions) - Retrospective biometric categorisation systems - Emotion recognition in workplaces or educational institutions (with exceptions) - AI to infer protected characteristics from biometric data

High-risk AI requirements — Articles 9–15 (applicable 2 August 2026):

Annex III lists high-risk AI categories. Relevant for RegTech: AI systems used for creditworthiness assessment and credit scoring (Annex III.5(b)); AI used for risk assessment and insurance pricing (Annex III.5(c)); law enforcement (AML pattern detection may fall here depending on use). Obligations for high-risk AI:

• Risk management system (Article 9): Documented, ongoing risk management throughout the lifecycle. Risk identification, estimation, evaluation, and residual risk acceptance.
• Data governance (Article 10): Training, validation, and testing datasets must be subject to data governance practices. Data must be relevant, representative, free of errors, and complete. Special provisions for sensitive characteristics.
• Technical documentation (Article 11 + Annex IV): Comprehensive documentation before placing on market, including system description, design choices, training methodology, performance metrics, and limitations.
• Record-keeping / logging (Article 12): High-risk AI systems must have logging capability enabling reconstruction of events over the system's lifetime. Financial sector minimum retention: as required by sectoral law (typically 5–7 years).
• Transparency (Article 13): Information must be provided to deployers sufficient to enable them to assess compliance. Output transparency where natural persons interact with the system.
• Human oversight (Article 14): High-risk AI must allow natural persons to oversee the system, monitor operation, identify anomalies, and override or interrupt system output. For automated decisions (credit, AML), this typically means an analyst review workflow before adverse action.
• Accuracy, robustness, and cybersecurity (Article 15): Appropriate accuracy and robustness throughout the lifecycle. Resilience against adversarial input and data poisoning.
• Conformity assessment (Article 43): Self-assessment for most Annex III uses; third-party assessment for biometric identification and certain critical infrastructure uses.
• EU database registration (Article 71): High-risk AI systems must be registered in the EU public database before deployment.
• Post-market monitoring (Article 72): Providers must establish post-market monitoring systems and report serious incidents to national authorities.

General-purpose AI models (Articles 51–56): Providers of GPAI models (large foundation models) have additional obligations including technical documentation, copyright compliance, and (for systemic-risk models) adversarial testing and incident reporting to the AI Office.

RegTech relevance

• Credit risk models and scoring engines: likely high-risk (Annex III.5(b)) — full regime applies
• AML transaction monitoring models: assessment needed; law enforcement use triggers high-risk classification
• Customer service chatbots: general AI transparency obligations under Article 50
• Explainability systems built for SR 11-7 compliance may simultaneously satisfy Article 13/14 requirements
• SHAP/LIME explanations and human-in-the-loop review workflows map directly to Article 14 requirements

Key articles summary

DORA (Digital Operational Resilience Act)

Full title: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector Published: Official Journal, 27 December 2022 Applicable: 17 January 2025 Regulator: Sectoral financial supervisors (EBA, ESMA, EIOPA, ECB-SSM); national competent authorities. Joint Oversight Committee oversees critical third-party ICT providers (CTPPs).

Scope

DORA applies to virtually all EU-regulated financial entities: credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (under MiCA), insurance undertakings, pension funds, credit rating agencies, data reporting services providers, and their ICT third-party service providers. The breadth is intentional — the EU legislature recognised that ICT risk is systemic across financial services.

Key obligations

ICT risk management framework (Articles 5–16): - Governing body bears ultimate responsibility for ICT risk management (Article 5). Senior management accountability — not delegable to IT. - Entities must maintain and regularly test a comprehensive ICT risk management framework including: ICT risk identification; protection and prevention; detection; response and recovery; and learning and evolution. - Business continuity policy and ICT business continuity plans (Article 11). - Backup policies; backup system testing; restoration testing (Article 12). - ICT systems, protocols, and tools must meet resilience, capacity, and performance standards (Article 6).

ICT-related incident management, classification, and reporting (Articles 17–23): - Entities must establish and implement an ICT-related incident management process. - Major ICT incidents must be reported to competent authorities: - Initial notification: within 4 hours of classification as major, no later than 24 hours from detection - Intermediate report: within 72 hours of the initial report - Final report: within 1 month of initial notification - Voluntary reporting of significant cyber threats (Article 19). - Incident classification criteria set by EBA/ESMA/EIOPA in regulatory technical standards (RTS) under Articles 18(3) and 20.

Digital operational resilience testing (Articles 24–27): - Basic testing: all financial entities must perform annual ICT tools and systems testing. Minimum: vulnerability assessments, open-source analyses, network security assessments, gap analyses. - Advanced testing — Threat-Led Penetration Testing (TLPT) (Articles 26–27): Required for significant financial entities (criteria in RTS). TLPT mimics real threat-actor tactics. Must be conducted at least every 3 years. Testing must cover all critical or important functions. Third-party providers supporting those functions must participate.

ICT third-party risk management (Articles 28–44): - Entities must manage ICT third-party concentration risk. - Pre-contractual due diligence and ongoing monitoring of third-party ICT providers. - Contracts with ICT providers must include specific provisions (Article 30): service levels, audit rights, data portability, termination provisions, sub-outsourcing details. - Register of all ICT contractual arrangements (Article 28(3)). - Designation of critical third-party providers (CTPPs) by supervisory authorities; CTPPs subject to Oversight Framework (Articles 31–44) including lead overseer designation, comprehensive assessments, and binding recommendations.

Information sharing (Article 45): - Financial entities encouraged to voluntarily share cyber threat intelligence within trusted communities.

RegTech relevance

DORA directly governs RegTech vendors providing cloud-hosted compliance platforms, transaction monitoring systems, or identity verification services to EU financial entities. From a financial institution perspective: - All RegTech SaaS providers are ICT third-party service providers under DORA - Contracts with RegTech vendors must include DORA Article 30 provisions from 17 January 2025 - Cloud providers supporting compliance infrastructure (AWS, Azure, GCP) are CTPPs if designated - Incident response plans must cover RegTech platform outages - RegTech system monitoring and access audit logs support DORA Article 12 logging requirements

Key articles summary

GDPR (General Data Protection Regulation)

Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data Applicable: 25 May 2018 Regulator: National supervisory authorities (DPAs); European Data Protection Board (EDPB) for cross-border consistency

Scope

GDPR applies to the processing of personal data of data subjects in the EU, regardless of where the controller or processor is established. It applies to financial institutions processing customer data for KYC, transaction monitoring, credit assessment, marketing, and any other purpose. The regulation has broad extraterritorial effect.

Key obligations

Lawful basis for processing (Article 6): Every processing activity requires a lawful basis. For financial services, the most common are: - Article 6(1)(b): performance of a contract (e.g., executing a payment) - Article 6(1)(c): compliance with a legal obligation (e.g., AML screening, CTR filing) - Article 6(1)(f): legitimate interests (e.g., fraud prevention, with balancing test) - Article 6(1)(a): consent (e.g., marketing communications — freely given, specific, informed, withdrawable)

Automated decision-making including profiling (Article 22): Where a decision based solely on automated processing produces legal or similarly significant effects on a data subject, the subject has the right to: (a) human review; (b) express their point of view; (c) contest the decision. This article is directly engaged by automated credit scoring and AML risk rating systems.

Data minimisation and purpose limitation (Articles 5(1)(b) and (c)): Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Data must be adequate, relevant, and limited to what is necessary. RegTech implication: collecting additional customer data "just in case" it might be useful for future monitoring is not compliant.

Data subject rights (Articles 15–22): - Right of access (Article 15): Data subjects may request what data is held, the purpose, retention period, and recipients. - Right to rectification (Article 16): Correction of inaccurate data. - Right to erasure (Article 17): "Right to be forgotten" — subject to retention obligations under other laws (e.g., AML record-keeping requirements override this for required records). - Right to restriction (Article 18): Processing paused pending resolution of a dispute. - Right to data portability (Article 20): Structured, machine-readable format for data provided on consent or contract basis. - Right to object (Article 21): Object to processing based on legitimate interests. - Automated decision rights (Article 22): See above.

Privacy by design and by default (Article 25): Technical and organisational measures to implement data protection principles effectively. Data protection must be integrated into system design — not bolted on.

Data Protection Impact Assessment (DPIA) (Article 35): Required for high-risk processing, including systematic evaluation of personal aspects using automated processing (profiling), large-scale processing of sensitive categories, systematic monitoring of a publicly accessible area. In practice, most AML transaction monitoring systems and credit scoring models require a DPIA.

Data Protection Officer (DPO) (Articles 37–39): Mandatory for public authorities, entities whose core activities require regular and systematic monitoring of individuals at large scale, and entities processing special categories at large scale. Most large financial institutions are required to appoint a DPO.

International data transfers (Articles 44–49): Transfers to countries outside the EEA require either: an adequacy decision; Standard Contractual Clauses (SCCs); Binding Corporate Rules; or an Article 49 derogation. Schrems II (CJEU, 2020) invalidated the EU-US Privacy Shield; US transfers now require SCCs plus a Transfer Impact Assessment (TIA). The EU-US Data Privacy Framework (July 2023) provides an adequacy basis for US transfers to certified organisations — but remains subject to legal challenge.

Security (Article 32): Appropriate technical and organisational measures to ensure security appropriate to the risk. Includes encryption of data at rest and in transit, access controls, pseudonymisation, and regular testing.

Breach notification (Articles 33–34): Personal data breaches must be notified to the supervisory authority within 72 hours. If the breach is likely to result in high risk to individuals, the individuals must also be notified without undue delay.

Key articles summary

EU AML Package / AMLA

Key instruments: - AMLR (Anti-Money Laundering Regulation): Regulation (EU) 2024/1624 — directly applicable uniform AML/CFT rules - 6AMLD (Sixth Anti-Money Laundering Directive): Directive (EU) 2024/1640 — institutional framework, FIUs, supervisory cooperation - AMLA Regulation: Regulation (EU) 2024/1620 — establishes the Anti-Money Laundering Authority Published: June 2024 Implementation: Applicable from 10 July 2027; AMLA operational from 2025 with direct supervision from 2028

Scope

The EU AML Package consolidates and harmonises EU AML/CFT obligations across member states. Obliged entities include: credit institutions, financial institutions, crypto-asset service providers (under MiCA), payment service providers, insurance companies, accountants, auditors, lawyers, real estate agents, company service providers, and others.

Key obligations

Risk-based approach (AMLR Chapter II): - Obliged entities must conduct enterprise-level business risk assessments. - Customer Due Diligence (CDD) required at onboarding and on an ongoing basis. - Risk factors: geographic risk, product/service risk, delivery channel risk, customer risk. - Simplified Due Diligence (SDD) permitted for lower-risk situations specified in AMLR Annex II. - Enhanced Due Diligence (EDD) required for higher-risk situations including: PEPs; correspondent banking; high-risk third countries; transactions with no apparent economic purpose; complex or unusual large transactions.

Customer Due Diligence (AMLR Articles 20–49): - Identify and verify: for natural persons — full name, date and place of birth, nationality, unique identifier (e.g., passport number); for legal entities — name, legal form, registered address, purpose and nature of business, LEI where available. - Beneficial ownership: identify natural persons owning or controlling more than 25% for legal entities; for trusts and similar structures, identify settlor, trustee(s), protector, beneficiaries. - Ongoing monitoring: scrutinise transactions to ensure consistency with knowledge of customer and risk profile. - Refusal and termination: must refuse or terminate business relationship where CDD cannot be completed. - PEPs: enhanced scrutiny for domestic PEPs (new under 2024 package — previously only foreign PEPs required EDD); senior management approval for PEP relationships.

Beneficial ownership registers (6AMLD Articles 10–21): - Member states must maintain central registers of beneficial ownership for corporate entities and trusts. - Access: competent authorities and FIUs have unrestricted access; obliged entities and the public have conditional access (Note: CJEU ruling in WM/Sovim (C-37/20, 2022) restricted public access; member states implementing revised access frameworks).

Suspicious activity reporting (AMLR Articles 69–79): - Obliged entities must report suspicions of ML/TF to their national FIU promptly. - Tipping-off prohibition: entities must not disclose that a report has been filed or that an investigation is ongoing. - Safe harbour: good-faith disclosure to FIU provides protection from liability.

AMLA (Anti-Money Laundering Authority): - Established in Frankfurt. Operational from July 2025. Direct supervisory powers from July 2028. - Will directly supervise the 40 riskiest obliged entities operating in at least 6 member states (selected every 3 years). - Issues binding technical standards and guidelines; coordinates college of AML supervisors. - Supports FIU cooperation through the FIU.net network.

Key obligations summary

MiFID II / MiFIR

Full title: Directive 2014/65/EU on markets in financial instruments (MiFID II) + Regulation (EU) 600/2014 (MiFIR) Applicable: 3 January 2018 Key subsequent amendment: MiFIR Review (Regulation (EU) 2024/791) — phased implementation from 2024–2026 Regulators: ESMA (single rulebook); national competent authorities (e.g., FCA pre-Brexit; BaFin, AMF, AFM)

Scope

MiFID II/MiFIR applies to investment firms, credit institutions conducting investment services, market operators, data reporting services providers, and third-country firms accessing EU markets. Covers: reception and transmission of orders, execution, portfolio management, investment advice, underwriting, and operation of trading venues.

Key obligations

Transaction reporting (MiFIR Article 26): - Investment firms must report details of every transaction in financial instruments admitted to trading on an EU trading venue (or with an EU ISIN) to their NCA by end of the following working day (T+1). - Reports submitted via Approved Reporting Mechanisms (ARMs). - 65 data fields including: trading venue (MIC code); instrument details (ISIN, CFI); counterparty LEI; trader identifiers; buyer/seller indicators; price; quantity; timestamp (microsecond precision for systematic internalisers). - Waivers and deferrals for certain illiquid instruments and large transactions. - MiFIR Review: Consolidated Tape providers to aggregate post-trade data.

Best execution (MiFID II Article 27 + RTS 27/28): - Firms must take all sufficient steps to obtain best result for clients considering price, costs, speed, likelihood of execution, and other factors. - Annual publication of top 5 execution venues (RTS 28 reports — now reviewed under MiFIR Review).

Product governance (MiFID II Articles 16(3) and 24(2)): - Manufacturers: define target market; product testing and review; distribution strategy. - Distributors: understand products; ensure distribution consistent with target market.

Algorithmic trading and HFT (MiFID II Articles 17 and 48): - Firms using algorithmic trading must have adequate systems and risk controls: pre-trade risk limits; kill switches; annual self-assessment. - HFT firms: additional monitoring obligations; market making obligations in volatile conditions.

Market abuse prevention (MAR — Regulation (EU) 596/2014): While separate from MiFID II, MAR is closely linked. Key obligations: - Market soundings procedures. - Insider lists. - Transaction surveillance for insider dealing and market manipulation (watch lists, surveillance systems). - Suspicious Transaction and Order Reports (STORs) to NCAs.

Key RegTech relevance

• Transaction reporting accuracy is a key area of FCA/ESMA supervisory focus; systematic errors attract significant fines
• LEI data quality is critical — transactions with missing or invalid LEIs cannot be reported
• Algorithmic trading surveillance: firms must monitor for wash trades, spoofing, layering, and marking the close
• MiFIR Review introduces Designated Reporting Entity (DRE) model and revises transparency waivers

UK Frameworks

FCA Consumer Duty (PS22/9)

Full title: FCA Policy Statement PS22/9, A new Consumer Duty In force: 31 July 2023 (existing products and services); 31 July 2024 (closed book products) Regulator: Financial Conduct Authority

Scope

Consumer Duty applies to all FCA-regulated firms in the retail financial services distribution chain who have a material influence over, or determine, retail customer outcomes. It applies to product manufacturers, distributors, and all firms with a direct relationship with retail customers. It does not apply to professional clients or eligible counterparties under MiFID II classification.

Key obligations

The Duty consists of an overarching principle, a cross-cutting rules layer, and four outcome requirements.

The Consumer Principle (PRIN 12): "A firm must act to deliver good outcomes for retail customers." This is a higher standard than the previous "Treating Customers Fairly" (TCF) initiative — it requires firms to actively seek good outcomes, not merely avoid causing harm.

Cross-cutting rules (PRIN 2A): - Act in good faith toward retail customers. - Avoid causing foreseeable harm. - Enable and support customers to pursue their financial objectives.

Four Outcome requirements:

1. Products and Services (PROD): Products and services must be designed to meet the needs of an identified target market and distributed appropriately. Products that consistently deliver poor outcomes for customers should be withdrawn.

2. Price and Value (PRIN 2A.3): Firms must ensure the price paid for a product or service is reasonable relative to the benefits. Value assessments required. Manufacturers must produce value assessments; distributors must review them and act where value is poor.

3. Consumer Understanding (PRIN 2A.4): Communications must be clear, fair, and not misleading — but more than this: firms must test whether consumers actually understand their products. Particular attention to vulnerable customers, digital journeys, and financial promotions.

4. Consumer Support (PRIN 2A.5): Support must meet customers' needs. Unreasonably long wait times, difficult complaint processes, and unnecessary barriers to switching or exiting are all in scope.

RegTech relevance

• Outcome monitoring: firms need data infrastructure to monitor whether products are delivering good outcomes — not just complaints, but proactive outcome measurement
• Vulnerable customer identification: systems to identify customers in financial difficulty, with mental health issues, or experiencing life events that affect financial capability
• MI and reporting: Consumer Duty requires robust Management Information (MI) to evidence outcomes. Automated reporting pipelines from transaction data to outcome dashboards are directly in scope
• Digital journey testing: firms must test that digital journeys produce customer understanding — behavioural analytics and A/B testing of disclosures
• Price and value: data systems to compare pricing against value delivered and identify systematic poor value

FCA/PRA Operational Resilience (PS21/3 / SS1/21)

FCA: Policy Statement PS21/3 (March 2021); in force 31 March 2022; impact tolerances must be met by 31 March 2025 PRA: Supervisory Statement SS1/21 (March 2021); same timeline

Scope

Applies to FCA-regulated banks, building societies, and PRA-designated investment firms. For FCA-only firms (insurers, non-bank financial services), FCA PS21/3 applies with equivalent requirements. Also applies to the three major FMIs regulated by the Bank of England.

Key obligations

Important Business Services (IBS): Firms must identify their Important Business Services — the services they provide to external end users whose disruption could cause harm to consumers, market integrity, or financial stability. Examples: retail payments processing, mortgage origination, investment trade execution.

Impact tolerances: For each IBS, firms must set a maximum tolerable period of disruption (impact tolerance). Tolerances must be expressed in specific measurable metrics (e.g., "99% of payment instructions processed within 2 hours"; "maximum 4-hour outage for retail online banking"). All impact tolerances must be capable of being met from 31 March 2025.

Mapping and scenario testing: - Map the people, processes, technology, and third-party dependencies that support each IBS. - Conduct severe but plausible disruption scenarios to identify vulnerabilities. - Scenario testing must genuinely challenge the impact tolerance — not just verify normal operations.

Lessons learned and self-assessment: Firms must document lessons learned from disruptions and testing. Annual board self-assessment against the operational resilience requirements.

RegTech relevance

• RegTech platforms that support critical compliance processes (real-time payment monitoring, sanctions screening in the payment flow) may themselves be identified as supporting important business services
• Operational resilience requirements for RegTech vendors are increasingly included in vendor contracts
• Mapping exercises often reveal previously unknown dependencies on RegTech SaaS providers

UK GDPR / Data Protection Act 2018

Instruments: UK GDPR (retained EU law post-Brexit, as amended); Data Protection Act 2018 (DPA 2018) Regulator: Information Commissioner's Office (ICO)

UK GDPR is substantively aligned with EU GDPR but is a separate legal instrument. Key differences: - Adequacy decision: EU granted UK adequacy in June 2021 (valid initially for 4 years; under review). - Law enforcement processing: DPA 2018 Part 3 implements LED (EU Law Enforcement Directive) for police and law enforcement — relevant for financial crime information sharing. - National security: DPA 2018 Part 4 sets out the national security exemption framework. - ICO guidance: ICO has issued extensive UK-specific guidance including on AI fairness, automated decision-making, and the accountability framework.

Data Protection and Digital Information (DPDI) Bill (2024): Proposed reforms to UK GDPR were introduced but not enacted prior to the July 2024 general election. A revised approach is expected from the new government but no enacted changes as of early 2025.

Substantive compliance obligations for financial services are essentially identical to EU GDPR. See the EU GDPR section above for full details.

Money Laundering Regulations 2017 (MLR 2017)

Full title: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692 (as amended) Regulator: FCA (financial services); HMRC (money service businesses, estate agents, accountants, TCSP); professional body supervisors; Companies House Key amendments: MLR 2019 (5AMLD implementation); MLR 2022 (FATF recommendations; CDD reform)

Scope

MLR 2017 applies to credit institutions, financial institutions, independent legal professionals, accountants, estate agents, letting agents (new from 2020), high-value dealers (cash transactions over EUR 10,000), casinos, and trust or company service providers.

Key obligations

Customer Due Diligence (Regulations 27–40): - Standard CDD: verify name, address, date of birth for individuals; name, incorporation details, beneficial ownership for legal entities. - Beneficial ownership threshold: 25% for corporate entities. - Politically Exposed Persons (PEPs): enhanced due diligence; senior management approval; source of wealth and source of funds verification. UK-specific: domestic PEPs (UK PEPs) receive a lower risk assessment by default — domestic PEPs are treated as lower risk than foreign PEPs unless other risk factors indicate otherwise (post-MLR 2022 reform). However, the FCA has emphasised that this does not mean domestic PEPs are automatically low risk. - High-risk third countries: EDD mandatory for transactions or relationships involving jurisdictions on the UK high-risk third countries list (HMRC/HMT designation).

Suspicious Activity Reporting (SARs) — Proceeds of Crime Act 2002 (POCA): MLR 2017 creates the AML compliance framework; the SAR obligation itself is in POCA 2002 ss. 330–331. - Authorised Disclosures (consent SARs): where a firm or individual knows or suspects they would be engaged in money laundering, they must file a SAR with the National Crime Agency (NCA) and request a "defence" before proceeding with the transaction. - Defensive/required disclosures: filed where a transaction has occurred but subsequent suspicion arises. - 7-day moratorium after filing a consent SAR during which the NCA can refuse consent.

Record-keeping (Regulation 40): Minimum 5 years from the end of the business relationship or after a transaction (whichever is later). Records must be sufficient to reconstruct individual transactions.

Training (Regulation 24): Staff must receive regular AML/CFT training relevant to their role.

US Frameworks

Bank Secrecy Act / FinCEN AML Rules

Primary statutes: Bank Secrecy Act (BSA) 1970, 31 U.S.C. §§ 5311–5336; as implemented by FinCEN regulations at 31 C.F.R. Chapter X Key amendments: USA PATRIOT Act (2001) — added § 326 CIP, § 312 correspondent bank EDD, § 314 information sharing; Anti-Money Laundering Act of 2020 (AMLA 2020) — beneficial ownership registry; Corporate Transparency Act (CTA, 2021) Regulator: FinCEN (Financial Crimes Enforcement Network, Treasury); prudential regulators (OCC, Federal Reserve, FDIC, NCUA) for covered financial institutions

Scope

BSA applies to "financial institutions" broadly defined under 31 C.F.R. § 1010.100: banks, credit unions, broker-dealers, futures commission merchants, money services businesses (MSBs), insurance companies, casinos, and others. The Customer Due Diligence (CDD) Rule extends BSA obligations to legal entity customers for covered financial institutions.

Key obligations

AML Program (31 C.F.R. § 1020.210): Every covered financial institution must establish and maintain a written AML program with four minimum pillars ("The Four Pillars"): 1. Policies, procedures, and internal controls 2. Designation of a compliance officer 3. Ongoing employee training 4. Independent testing/audit

The AML/CFT Act of 2020 added a fifth element: risk assessment. FinCEN has proposed rules implementing this as a formal annual risk assessment requirement.

Currency Transaction Reports (CTRs) (31 C.F.R. § 1010.311): File FinCEN Form 112 within 15 calendar days of a cash transaction exceeding $10,000 by, through, or to a financial institution. Aggregation required for multiple transactions by the same customer on the same business day.

Suspicious Activity Reports (SARs) (31 C.F.R. § 1020.320): File FinCEN Form 111 within 30 calendar days of detecting a suspicious transaction (60 days if additional investigation is needed to identify a suspect). Filing threshold: $5,000 for banks; $2,000 for MSBs and broker-dealers. Tipping-off is prohibited under 31 U.S.C. § 5318(g)(2). Safe harbour for good-faith filers.

Customer Identification Program (CIP) (31 C.F.R. § 1020.220): Banks must have a CIP that includes: collecting minimum identifying information (name, date of birth, address, identification number); verifying identity; checking against government lists; providing customer notice; retaining records for 5 years.

Customer Due Diligence (CDD) Rule (31 C.F.R. § 1010.230): Implemented May 2018. Added a fifth AML pillar: understanding the nature and purpose of customer relationships. Legal entity customers: must collect beneficial ownership for all natural persons owning 25% or more, plus one person with significant managerial control (the "control prong"). FinCEN proposed revisions in 2024 to align with the CTA beneficial ownership registry.

Corporate Transparency Act / FinCEN Beneficial Ownership Registry: Effective 1 January 2024, most US legal entities must file beneficial ownership reports with FinCEN identifying beneficial owners (25% ownership or substantial control). Financial institutions can access the registry for CDD purposes (implementation of access regime ongoing as of 2025). Note: the CTA was subject to litigation in late 2024; court rulings affecting filing requirements — verify current status with FinCEN.

314(a) and 314(b) Information Sharing: - 314(a): FinCEN can require financial institutions to search records for accounts or transactions of persons named in a FinCEN request (law enforcement-initiated). 14-day response deadline. - 314(b): Voluntary information sharing between financial institutions about suspected money laundering or terrorist financing with FinCEN registration. Provides safe harbour.

RegTech relevance

• SAR workflow automation: case management systems must support the 30/60-day filing deadlines
• CTR aggregation: systems must aggregate same-day cash transactions by customer
• OFAC screening: required under the Trading with the Enemy Act (TWEA) and International Emergency Economic Powers Act (IEEPA); separate from BSA but typically part of AML infrastructure
• FinCEN 314(b) consortiums: technology platforms enabling shared lookups across participating institutions

SR 11-7 (Supervisory Guidance on Model Risk Management)

Full title: Supervisory Guidance on Model Risk Management, SR Letter 11-7 (April 2011) Issued by: Board of Governors of the Federal Reserve System + OCC Regulator: Federal Reserve, OCC; adopted by FDIC; referenced by FinCEN, SEC, CFPB

Scope

SR 11-7 is guidance (not a regulation), but supervisory expectations for model risk management at regulated banks are derived from it. It applies to any model used for decision-making across the institution. In RegTech contexts, this includes: credit scoring and underwriting models; AML transaction monitoring models; fraud detection models; market risk models; stress testing models; anti-money laundering and sanctions screening systems.

Key concepts

SR 11-7 defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." This is broad enough to encompass rule-based systems where the rules are parameterised based on data analysis.

Model development and implementation: - Models must be developed with sound methodology. - Conceptual soundness: the model must be based on appropriate theory and valid assumptions. - Data quality: inputs must be relevant, accurate, and sufficient. - Documentation: full documentation of design, data, assumptions, mathematical specifications, and limitations is required before deployment. - Testing: rigorous testing including out-of-sample testing and sensitivity analysis before production.

Model validation: SR 11-7's most operationally significant requirement is that models must be independently validated — meaning validated by staff or a group independent of those who developed and use the model. Validation must include: - Conceptual soundness: Evaluation of the theoretical framework, assumptions, and the reasonableness of the model's use case. - Ongoing monitoring: Testing whether the model performs as expected in production, including performance metrics, benchmarking, and outcomes analysis. - Process verification: Confirming that inputs are used and processed correctly and that outputs are generated as intended. - Sensitivity analysis: Testing how outputs change with changes in inputs and assumptions. - Back-testing: Comparing model predictions to actual outcomes where possible.

Model inventory: All models in use must be inventoried. The inventory should include: model purpose; business unit; owner; status (developmental, active, inactive); last validation date; identified limitations; approved compensating controls.

Model risk governance: Board and senior management are accountable for model risk. A three-lines-of-defence framework is typical: - 1st line: model owners/developers (internal controls) - 2nd line: model risk management function (independent validation, policy) - 3rd line: internal audit (validation of the MRM framework itself)

RegTech relevance

SR 11-7 is the primary reason financial institutions conducting SR 11-7 model validation of their AML systems and credit models need explainability and auditability built in from the start. Key implications for RegTech: - Model documentation must exist before deployment — not written retrospectively - Independent validation is required; cannot be self-certified by the development team - AML transaction monitoring systems are typically models under SR 11-7 if their alert thresholds were set using statistical analysis of historical data - Challenger models and benchmark comparisons are best practice

ECOA / Fair Credit Reporting Act

Equal Credit Opportunity Act (ECOA): 15 U.S.C. § 1691 et seq.; implemented by Regulation B (12 C.F.R. Part 1002) Fair Credit Reporting Act (FCRA): 15 U.S.C. § 1681 et seq.; implemented by Regulation V Regulators: CFPB (primary enforcement); prudential regulators (banks); DOJ (pattern-or-practice discrimination)

Scope

ECOA prohibits discrimination against any credit applicant on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has capacity to contract), or because the applicant exercises rights under the Consumer Credit Protection Act. Regulation B implements ECOA and imposes requirements on creditors.

FCRA regulates consumer reporting agencies and the use of consumer reports (credit reports, background checks) by users.

Key obligations

ECOA / Regulation B: - Adverse action notices (Regulation B § 1002.9): When a creditor takes adverse action (denial, unfavorable change, withdrawal of a credit offer) on a credit application, the applicant has a right to a notice of the action taken and a statement of the reasons for it (or disclosure of the right to request such reasons). Reasons must be specific and meaningful — not generic. This requirement directly implicates AI/ML model explainability for credit decisions. - Disparate impact: Credit policies that are facially neutral but have a disparate impact on a protected class may violate ECOA unless justified by a legitimate business necessity that cannot be achieved by a less discriminatory alternative. - HMDA (Home Mortgage Disclosure Act, 12 C.F.R. Part 1003): Requires most mortgage lenders to collect and report demographic data on mortgage applications. Used to assess fair lending compliance.

FCRA: - Permissible purpose: Consumer reports may only be used for permissible purposes (credit decisions, employment, insurance, etc.). - Adverse action (FCRA § 615): When a consumer report is used for an adverse action, the applicant must be notified and provided with the name and contact information of the consumer reporting agency and the right to a free copy of the report. - Accuracy and dispute: Consumer reporting agencies must maintain reasonable procedures for accuracy. Consumers have the right to dispute inaccurate information. - Furnisher obligations: Entities that furnish information to CRAs must ensure accuracy and investigate disputes.

RegTech relevance

• Adverse action notices for AI-driven credit decisions: CFPB has issued guidance (2023) clarifying that using a complex algorithmic model does not excuse a creditor from providing specific, meaningful reasons for adverse action. SHAP values and similar explainability methods are relevant to meeting this requirement.
• Fair lending testing: regular disparate impact testing of credit models against ECOA-protected categories is required. RegTech tooling for bias detection in model outputs is directly responsive to this requirement.
• Synthetic data and bias: if training data reflects historical discrimination, ML models can perpetuate or amplify that discrimination — ECOA / Regulation B requires proactive testing.

SEC Cybersecurity Rules (2023)

Instruments: - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Regulation S-K, S-1, 10-K): Final rule, adopted 26 July 2023 (effective 5 September 2023; compliance dates from December 2023) - Cybersecurity Risk Management Rules for Broker-Dealers, Clearing Agencies, Investment Companies, Investment Advisers (Regulation S-ID): Final rule, adopted 9 August 2023

Scope

The first set of rules applies to all SEC-registered public companies. The second set applies to SEC-registered broker-dealers, clearing agencies, investment advisers, and investment companies.

Key obligations

Incident reporting (Exchange Act Rule 13a-1 / 15d-1, Item 1.05 of Form 8-K): Material cybersecurity incidents must be disclosed on Form 8-K within 4 business days of determining that the incident is material. "Material" follows the standard securities law definition: information that a reasonable investor would consider important in making an investment decision. Delayed disclosure is permitted only in limited circumstances where the DOJ certifies that immediate disclosure would pose a substantial risk to national security or public safety.

Annual disclosure (Form 10-K): - Describe cybersecurity risk management and strategy: how the company assesses, identifies, and manages material risks from cybersecurity threats. - Describe board oversight of cybersecurity risk. - Describe management's role in assessing and managing cybersecurity risk. - Disclose whether any risks from cybersecurity threats have materially affected, or are reasonably likely to materially affect, the registrant's business.

Broker-dealer and adviser rules (Regulation S-ID): - Written cybersecurity policies and procedures reasonably designed to address cybersecurity risks. - Annual review of policies and procedures. - Incident reporting to the SEC and affected customers.

RegTech relevance

• RegTech platforms that become aware of a cybersecurity incident affecting their financial institution clients may need to notify clients promptly to enable the client's 4-day Form 8-K timeline
• Incident response plans must address the 4-business-day materiality determination and disclosure process
• Board-level cybersecurity governance documentation is now a disclosure requirement — compliance reporting to the board takes on securities law significance

International Standards

FATF 40 Recommendations

Full title: FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation Body: Financial Action Task Force (FATF) — intergovernmental body with 39 members Current version: 2012 (updated most recently in 2023)

Nature: FATF Recommendations are soft law — they are not legally binding treaties. However, they are implemented into national law by virtually all jurisdictions through domestic AML legislation. FATF conducts mutual evaluations of member countries. Countries rated as "not compliant" or "partially compliant" on core recommendations face reputational and market access consequences. FATF maintains the "grey list" (Jurisdictions Under Increased Monitoring) and the "black list" (High-Risk Jurisdictions Subject to a Call for Action) — the latter triggers mandatory EDD by FATF-member country obliged entities.

Structure

The 40 Recommendations are organised across: - Rec. 1–2: Risk-Based Approach and National AML/CFT Policies - Rec. 3–8: Money Laundering and Confiscation - Rec. 9–23: Terrorist Financing and Proliferation Financing Measures - Rec. 24–25: Preventive Measures — Transparency and Beneficial Ownership of Legal Persons and Arrangements - Rec. 26–35: Powers and Responsibilities of Competent Authorities and Other Institutional Measures - Rec. 36–40: International Cooperation

Key recommendations for RegTech

Travel Rule (R.16): FATF Recommendation 16 requires that originator and beneficiary information accompany wire transfers. For crypto-asset transfers (VASP-to-VASP), FATF updated R.15 and R.16 in 2019 to apply the Travel Rule to virtual asset transfers. Implementation is uneven globally — the FATF "travel rule gap" is an active compliance challenge for crypto firms.

BCBS 239 (Risk Data Aggregation and Risk Reporting)

Full title: Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239) Issued by: Basel Committee on Banking Supervision (BCBS) Published: January 2013 Applicable to: Global Systemically Important Banks (G-SIBs) immediately; Domestic Systemically Important Banks (D-SIBs) from 2016; other banks encouraged to adopt

Nature: Like FATF Recommendations, BCBS 239 is soft law — implemented through domestic supervisory expectations (e.g., ECB-SSM guidance, PRA SS3/18).

Fourteen Principles

Key principles for RegTech

• Principle 3 (Accuracy and Integrity): Risk data must be accurate and reliable. Reconciliation between risk systems and source systems.
• Principle 4 (Completeness): Must capture all material risk data across all business lines and geographies.
• Principle 5 (Timeliness): Must be able to generate aggregated risk data rapidly in normal and stress conditions. The benchmark: G-SIBs should be able to generate critical risk data within hours for daily reports, and within intraday periods for stress situations.
• Principle 6 (Adaptability): Systems must be able to generate custom aggregations — reports should not be so hardcoded that they cannot respond to supervisory ad hoc requests.

RegTech relevance

BCBS 239 is the primary driver of data lineage, data quality management, and metadata management investment at G-SIBs and D-SIBs. RegTech implications: - Data quality tools must support automated reconciliation and lineage tracking - Risk data architecture must support both automated reporting and ad hoc query - Many G-SIBs received supervisory criticism for BCBS 239 compliance in the 2017–2023 period; it remains an active supervisory priority - The 2023 BCBS report on progress confirmed that most G-SIBs still have significant gaps, particularly in adaptability and timeliness

NIST Cybersecurity Framework 2.0

Full title: NIST Cybersecurity Framework (CSF) 2.0 Published: February 2024 Issued by: National Institute of Standards and Technology (US Department of Commerce)

Nature: Voluntary framework. However, widely adopted as de facto standard. Referenced by SEC, FFIEC, OCC, and others. CSF 2.0 supersedes CSF 1.1 (2018).

Six Core Functions (CSF 2.0)

CSF 2.0 added a sixth function, Govern, to the five functions of CSF 1.1.

Key changes in CSF 2.0

• Govern function: Elevates governance and supply chain risk to a top-level function, reflecting that cybersecurity requires board-level engagement and extends through the supply chain.
• Supply chain risk management (GV.SC): Strengthened subcategory with expanded guidance on third-party risk — directly relevant to RegTech vendor management.
• Implementation examples: CSF 2.0 includes implementation examples for each subcategory — more actionable than CSF 1.1.
• Profiles: Organisations create a Current Profile (current cybersecurity posture) and Target Profile (desired posture); the gap between them is the risk treatment roadmap.

RegTech relevance

NIST CSF 2.0 is the standard against which most US financial institutions benchmark their cybersecurity programs. For RegTech vendors: - CSF alignment is increasingly required in vendor due diligence questionnaires - The Govern function provides the framework for board-level cybersecurity reporting that the SEC now requires in Form 10-K - DORA (EU) has been mapped to NIST CSF by multiple industry bodies — facilitating cross-jurisdictional compliance

IOSCO Principles

Full title: Objectives and Principles of Securities Regulation (IOSCO) Issued by: International Organization of Securities Commissions Current version: 38 Principles (updated 2017; supplemented by thematic assessments) Nature: Soft law; basis for IMF Financial Sector Assessment Program (FSAP) assessments of securities regulators

Relevant principles for RegTech

IOSCO's 38 Principles are organised across the regulator, self-regulatory organisations, enforcement, cooperation, issuers, auditors and accounting standards, collective investment schemes, market intermediaries, and secondary markets. The most RegTech-relevant:

IOSCO has also published separate guidance directly relevant to RegTech and digital markets: - Retail Market Conduct Task Force Report (2021): conduct risks in digital distribution - Policy Recommendations for Crypto and Digital Asset Markets (2023): 18 policy recommendations; adopted as basis for EU MiCA and other national frameworks - AI and Machine Learning in Capital Markets (2021): principles for AI/ML governance in regulated firms

Jurisdiction Comparison Tables

AML Regulatory Requirements Comparison

Operational Resilience Requirements Comparison

AI/Algorithmic System Requirements Comparison

Regulatory Calendar: Key Compliance Dates