Case Study 1.2: The RegTech Taxonomy in Action — A Vendor Landscape Mapping Exercise
Overview
This case study is structured differently from Case Study 1.1. Rather than following a single organization's journey, it presents a practical exercise in applying the five-family taxonomy to real-world vendor selection challenges. It is based on a composite scenario drawn from actual client engagements observed in the field.
The scenario: Priya Nair has been engaged by a mid-size European asset manager — Altara Capital, with approximately €45 billion in AUM — to conduct an initial RegTech needs assessment. The firm's board has directed the CCO to produce a "compliance technology strategy" within 90 days. The CCO, who has a legal background, has asked Priya to help him understand what technology is available and what problems it solves.
Priya's task for this phase: produce a one-day workshop that maps Altara's compliance obligations to RegTech solution families, identifying the highest-priority gaps.
Altara Capital's Compliance Obligations: A Summary
As a UCITS and AIFMD fund manager operating primarily in Luxembourg with UK and US distribution, Altara faces the following primary compliance obligations:
| Obligation | Regulatory Basis | Current Approach |
|---|---|---|
| AML/KYC for fund investors | AMLD5, CSSF guidelines | Manual process; ~3 weeks per institutional investor onboarding |
| MiFID II transaction reporting | MiFIR Article 26 | Excel-based process; frequent late amendments |
| Best execution monitoring | MiFID II Article 27 | Quarterly review by PM team; no formal system |
| SFDR sustainable finance reporting | EU 2019/2088 | Manual disclosure preparation; first SFDR reports filed late |
| GDPR compliance | GDPR 2016/679 | Reasonable documentation; some gaps in data subject request handling |
| AIFMD regulatory reporting | AIFMD Annex IV | Outsourced to administrator; data quality issues |
| Insider dealing / MAR compliance | EU MAR | Personal account dealing policy; no surveillance system |
| Regulatory change tracking | Multiple | CCO reads FCA/CSSF/ESMA updates manually; no system |
The Workshop: Mapping Obligations to RegTech Families
Priya's workshop begins by mapping each obligation to a RegTech family and assessing Altara's current maturity.
Mapping Table
| Obligation | RegTech Family | Current Maturity | Priority |
|---|---|---|---|
| AML/KYC | Identity & Onboarding | Low (manual) | High |
| MiFID II transaction reporting | Risk & Regulatory Reporting | Low (Excel) | High |
| Best execution monitoring | Trading Compliance | Very Low (informal) | Medium |
| SFDR reporting | Risk & Regulatory Reporting | Very Low (manual) | Medium |
| GDPR | (cross-cutting) | Medium | Low-Medium |
| AIFMD reporting | Risk & Regulatory Reporting | Low (outsourced, poor quality) | Medium |
| MAR/insider dealing | Trading Compliance | Very Low (policy only) | High |
| Regulatory change | Regulatory Intelligence | Very Low (manual reading) | Medium |
The Prioritization Framework
Priya applies a simple prioritization framework based on two dimensions: regulatory risk (how likely is this gap to attract regulatory attention or result in a breach?) and operational pain (how much staff time and error risk does the current approach create?).
HIGH Regulatory Risk
|
AIFMD (outsourced | AML/KYC (manual, slow)
quality issues) | MiFID II reporting (late amendments)
| MAR (no surveillance at all)
LOW ——————————————————+————————————————————— HIGH
Operational Pain | Operational Pain
|
Regulatory change | Best execution (informal)
(CCO manages OK) | SFDR (late but manageable)
|
LOW Regulatory Risk
Priority 1 (high reg risk + high operational pain): - KYC/AML automation - MiFID II transaction reporting - MAR surveillance
Priority 2 (high reg risk + lower operational pain): - AIFMD data quality
Priority 3 (lower reg risk + high operational pain): - Best execution monitoring - SFDR reporting automation
Priority 4 (address as part of broader program): - Regulatory change management - GDPR process improvements
The Hard Conversation
At the end of the morning session, the CCO asks Priya: "So what should we do first?"
Priya's internal answer is: "Fix MiFID II transaction reporting and get a MAR surveillance system, because those are the highest regulatory risk gaps." But she knows the CCO is hoping to hear that the KYC issue is the priority — it is the one that generates the most internal complaints (institutional investors are frustrated by the 3-week onboarding time) and the one the CCO already has a vendor solution in mind for.
This is the moment that Priya has learned, across 17 implementations, is the most important one in any engagement: the gap between what the client wants to prioritize and what they need to prioritize.
Priya says: "I think you should do two things simultaneously. KYC automation is operationally important and your investors are right to push for it. But your MiFID II transaction reporting has been generating late amendments, which means you are breaching Article 26 periodically — and the FCA and ESMA are actively reviewing transaction reporting quality across asset managers this year. If they pick you up in a review and find persistent late amendments, that becomes a formal finding. I'd start both workstreams in parallel."
The CCO's response: "Can we afford to do both simultaneously?"
Priya: "Can you afford not to?"
Outcome
Altara authorized parallel workstreams for KYC automation (target: reduce institutional onboarding from 21 days to 5 days) and MiFID II transaction reporting remediation (target: eliminate late amendments within six months).
Priya's engagement continued for ten months. By month six: - KYC onboarding time had been reduced to 7 days (target missed, but significant improvement) - MiFID II late amendments had been eliminated - A communications and personal account dealing surveillance system had been procured and configured
By month ten: - SFDR reporting automation was in design - AIFMD data quality had been addressed through a renegotiated administrator agreement with cleaner data specifications - A regulatory change management tool had been implemented and the CCO's manual monitoring replaced
The total technology investment over ten months: approximately €680,000 across three vendors. Priya's estimate of the regulatory risk value of eliminating the MiFID II breach pattern: difficult to quantify, but a regulatory fine for persistent transaction reporting failures at an asset manager of Altara's size might have ranged from €200,000 to €2 million depending on FCA/CSSF disposition.
Discussion Questions
1. Priya used a two-dimensional prioritization framework (regulatory risk × operational pain). What are the limitations of this framework? What additional dimensions might a more sophisticated assessment include?
2. The CCO had a preferred vendor for the KYC solution before Priya's assessment was complete. What risks does this create? How should Priya handle a situation where the client has already decided on a vendor before the needs assessment is finished?
3. Priya estimated that a regulatory fine for persistent MiFID II transaction reporting failures "might have ranged from €200,000 to €2 million." What information would you need to make this estimate more precise? What methodology would you use?
4. Altara is an asset manager, not a bank. How does this affect which RegTech family is most relevant to its compliance challenges? Which obligations that would be central for a bank are absent or reduced for an asset manager?
5. The case study ends with Priya estimating a ROI for the MiFID II remediation work. Is this the right way to frame compliance technology investment? What are the arguments for and against framing compliance technology in terms of ROI?
Key Concepts Illustrated
- Taxonomy application: The five-family framework as a practical needs assessment tool
- Prioritization under constraint: When multiple compliance gaps exist simultaneously, sequencing matters
- The adviser's dilemma: The gap between what clients want to hear and what they need to know
- Parallel workstreams: Sometimes sequential prioritization is not an option
- Regulatory risk quantification: The challenge and importance of quantifying regulatory risk in financial terms