Chapter 32: Exercises — Global RegTech: US, EU, UK, APAC Comparative Landscape

Exercise 1: Complete a Jurisdiction-Domain Matrix

Task: Atlas Securities is a broker-dealer with licensed operations in the United States, the European Union (Ireland), and Hong Kong. It conducts equities trading, fixed income trading, and wealth management services.

Using the five-domain framework from Chapter 32, complete a jurisdictional compliance matrix for Atlas Securities. For each cell in the matrix below, identify: (a) the primary regulatory framework; (b) the primary regulator; (c) one technology-specific requirement unique to that jurisdiction-domain combination.

Domain United States European Union Hong Kong
AML / KYC
Market Surveillance
Operational Resilience
AI / Algorithmic Governance
Data Privacy

After completing the matrix, answer the following questions:

  1. Which three cells present the highest technology implementation complexity, and why?
  2. For which domain is there greatest convergence across Atlas's three jurisdictions, and what does that convergence enable from a technology architecture perspective?
  3. Identify one jurisdiction-domain combination where Atlas faces a compliance requirement that has no equivalent in either of the other two jurisdictions.

Exercise 2: DORA vs. UK PS21/3 — Technology Requirements

Task: Identify three specific technology requirements that differ meaningfully between the EU's DORA and the UK's FCA/PRA PS21/3 operational resilience framework. For each difference, explain: (a) what DORA requires; (b) what PS21/3 requires; (c) why the difference matters for platform configuration; and (d) how a firm operating in both the UK and the EU should handle the difference in its technology architecture.

Guidance: Consider the following areas as potential sources of difference: - ICT incident classification and reporting timelines - The scope and frequency of resilience testing - Third-party risk management contractual requirements - The terminology and structure of the underlying resilience framework (IBS/impact tolerances vs. ICT risk management framework) - Regulatory notification recipients and formats

Your answer should be written as a structured comparison memorandum of approximately 600 words, suitable for a compliance team briefing.

Exercise 3: Data Localization Architecture for a UK-EU-Singapore Firm

Task: Verdant Investment Management operates investment advisory services from offices in London (UK), Frankfurt (EU/Germany), and Singapore. It holds personal data for: - 4,200 UK clients (UK GDPR applies) - 3,800 EU clients across Germany, France, and the Netherlands (EU GDPR applies) - 2,100 Singapore clients (Singapore PDPA applies) - 850 international clients with no fixed jurisdiction

Verdant is migrating its client data management platform to a cloud infrastructure using a major cloud provider (assume AWS, Azure, or GCP — your choice).

Design a data localization architecture for Verdant's cloud migration that satisfies the data residency requirements of UK GDPR, EU GDPR, and Singapore PDPA. Your architecture design should address:

  1. Where each client data category will be stored (which cloud region)
  2. How cross-border data transfers between offices will be managed lawfully
  3. What data transfer mechanisms are available for each jurisdiction pair (UK-EU, UK-Singapore, EU-Singapore)
  4. How the architecture will handle the 850 international clients with no fixed jurisdiction
  5. What monitoring and access controls will ensure data does not flow to non-compliant regions

Present your architecture as a diagram description (sketch the components and data flows in text form) and a one-page written justification referencing the applicable legal frameworks.

Exercise 4: Code Exercise — Add a risk_score Method

Task: The MultiJurisdictionalComplianceMatrix class in Chapter 32's Python section includes a risk_score() method that assigns scores based on unmapped cells and divergence counts. Extend this implementation to provide a more sophisticated risk assessment.

Write a new method called weighted_risk_score() that:

  1. Accepts a domain_weights dictionary mapping ComplianceDomain to a numeric weight reflecting the compliance importance of each domain for a specific firm (e.g., a payments firm might weight AML/KYC at 3.0 and AI Governance at 0.5)
  2. Accepts a jurisdiction_weights dictionary mapping Jurisdiction to a numeric weight reflecting the regulatory risk profile of each jurisdiction (e.g., EU might weight at 2.0 due to GDPR/DORA penalties; US at 1.5)

  3. Returns a dictionary mapping (Jurisdiction, ComplianceDomain) tuples to weighted scores, where the base score formula is: - (gap_score + divergence_score) × domain_weight × jurisdiction_weight - gap_score = 10 if the cell is unmapped; 0 if mapped - divergence_score = number of divergences × 3

  4. Includes a top_risks(n: int) method that returns the top n highest-scoring jurisdiction-domain pairs from the weighted risk score, formatted as a list of dictionaries with keys jurisdiction, domain, score, and status (UNMAPPED or MAPPED with N divergences)

Test your implementation by extending the Cornerstone Financial Group matrix from the chapter, adding weights for each jurisdiction and domain, and printing the top 5 risk combinations.

Starter code:

def weighted_risk_score(
    self,
    domain_weights: dict[ComplianceDomain, float],
    jurisdiction_weights: dict[Jurisdiction, float],
    gap_weight: int = 10,
    divergence_weight: int = 3,
) -> dict[tuple[Jurisdiction, ComplianceDomain], float]:
    """
    Calculate weighted risk scores for each jurisdiction-domain combination.
    Implement this method based on the specification above.
    """
    # Your implementation here
    pass

def top_risks(
    self,
    n: int,
    domain_weights: dict[ComplianceDomain, float],
    jurisdiction_weights: dict[Jurisdiction, float],
) -> list[dict]:
    """
    Return the top n highest-risk jurisdiction-domain combinations.
    """
    # Your implementation here
    pass

Exercise 5: Briefing Note — EU AI Act vs. UK Sector-Specific Approach for Credit Scoring

Task: You are a senior compliance manager at a UK-EU financial services firm. Your firm uses an AI-based credit scoring model that is deployed in both the UK (for UK customers) and the EU (for EU customers through your Luxembourg subsidiary). The model uses alternative data — including payment history on utility bills, rental payments, and smartphone usage patterns — in addition to traditional credit bureau data.

The Chief Risk Officer has asked you to prepare a briefing note for the Board comparing the regulatory obligations that apply to this credit scoring AI in each jurisdiction.

Your briefing note should:

  1. EU AI Act analysis: Classify the credit scoring AI under the EU AI Act's risk tiers. Justify your classification. Identify the specific requirements that apply: conformity assessment, technical documentation, human oversight, data governance, registration, and post-market monitoring.

  2. UK sector-specific approach: Identify which UK regulatory frameworks apply to the credit scoring AI (consider FCA consumer duty, FCA model risk guidance, FCA/PRA AI principles, and relevant FCA Handbook provisions on creditworthiness assessment). Explain the obligations that arise from each applicable framework.

  3. Key divergences: Identify three specific divergences between the EU AI Act requirements and the UK requirements for this use case. For each divergence, explain the practical compliance implication for the firm.

  4. Recommended approach: Recommend how the firm should structure its AI governance for the credit scoring model to satisfy both the EU AI Act and the UK framework, minimizing duplication while ensuring full compliance in each jurisdiction.

Your briefing note should be approximately 700 words and written in the style of an internal Board paper — clear, structured, and free of regulatory jargon where plain language is equally accurate.