Chapter 32: Quiz — Global RegTech: US, EU, UK, APAC Comparative Landscape

Instructions: Select the best answer for each question. An answer key with explanations appears at the end of the quiz.

Question 1

Which jurisdiction has the most prescriptive statutory framework for operational resilience in financial services?

A) United States (FFIEC guidance) B) United Kingdom (FCA/PRA PS21/3) C) European Union (DORA) D) Singapore (MAS TRM Guidelines)

Question 2

What is the primary purpose of the EU's Anti-Money Laundering Authority (AMLA)?

A) To replace FATF as the global AML standard-setter B) To directly supervise the highest-risk EU financial entities and issue binding AML technical standards, replacing the current national-level patchwork C) To coordinate AML enforcement between the EU and United States D) To administer the EU's UBO register on behalf of all member states

Question 3

What is the primary federal legislation governing AML/BSA compliance for US financial institutions?

A) USA PATRIOT Act B) Dodd-Frank Wall Street Reform Act C) Bank Secrecy Act (BSA) D) Financial Services Modernization Act (GLBA)

Question 4

What role does FATF play in the global AML landscape?

A) FATF is a supranational regulator that directly supervises financial institutions B) FATF issues Forty Recommendations that establish global AML standards, which member jurisdictions are expected to implement in national law C) FATF manages the UN Consolidated Sanctions List on behalf of the Security Council D) FATF directly prosecutes money laundering offenses in jurisdictions that request its assistance

Question 5

MAS's FEAT Principles govern which compliance domain in Singapore?

A) Anti-money laundering and counter-terrorist financing B) Market abuse and market surveillance C) AI and algorithmic governance in financial services D) Data privacy and cross-border data transfers

Question 6

Following Brexit, how is the UK's AML framework best characterized relative to the EU's?

A) The UK adopted AMLD6 by reference and remains bound by EU AML Regulation directly B) The UK largely mirrors EU AMLD5 standards in domestic legislation but is developing in parallel and is not bound by AMLA's technical standards C) The UK has abandoned the risk-based approach and moved to a rules-based prescriptive framework D) The UK AML framework is now aligned with the US BSA framework through a bilateral agreement

Question 7

Where does the EU AI Act have extraterritorial effect?

A) Only in EU member states where the AI system provider is established B) Only for AI systems developed by EU-based companies, regardless of where they are deployed C) For any AI system placed on the EU market or used to affect EU residents, regardless of where the provider is established D) The EU AI Act has no extraterritorial effect; it applies only within EU territory

Question 8

Why do data localization requirements affect cloud architecture decisions for RegTech platforms?

A) Data localization requirements determine the programming language that RegTech vendors must use B) Regulations such as EU GDPR and Singapore PDPA restrict transfers of personal data to countries lacking adequate protections, requiring personal data to be stored in compliant regional infrastructure C) Data localization is a cybersecurity control that reduces the risk of ransomware attacks D) Data localization requirements apply only to government data, not financial services data

Question 9

What is a key structural difference between the EU GDPR's consent framework and the California CCPA's approach to consumer privacy?

A) GDPR requires a blanket opt-in for all marketing; CCPA requires blanket opt-out for all processing B) GDPR requires freely given, specific, and informed consent as a lawful basis for processing, while CCPA primarily provides an opt-out right for the sale or sharing of personal data rather than requiring opt-in consent for all processing C) CCPA requires a Data Protection Officer; GDPR does not D) There is no material difference — both frameworks are based on the same opt-in consent model

Question 10

The STOR obligation — requiring firms to report suspicious transactions and orders to regulators — applies under which framework?

A) EU Market Abuse Regulation (MAR) and MiFIR Article 31 B) EU GDPR and UK GDPR C) DORA Article 19 D) FATF Recommendation 20

Question 11

What is the purpose of the Consolidated Audit Trail (CAT) in the US?

A) To consolidate all US federal regulatory guidance into a single searchable database B) To create a comprehensive audit trail of order events across US equities and options markets, enabling the SEC to reconstruct market activity C) To record all BSA/AML suspicious activity reports in a consolidated database D) To track cybersecurity incidents across critical infrastructure sectors

Question 12

Why does DORA have no direct equivalent in US federal law?

A) The US has no technology risks in its financial system B) DORA's requirements are too technically complex for US regulators to implement C) US financial services regulation remains sector-specific and guidance-based for technology and operational resilience; no single statutory framework imposes equivalent ICT risk management obligations on financial institutions D) US firms are exempt from DORA because of the US-EU mutual recognition agreement

Question 13

Under Singapore's PDPA, what is the primary legal basis for collecting, using, and disclosing personal data?

A) Legitimate interest, as under EU GDPR B) Consent, which is the foundational basis under the PDPA framework C) Regulatory mandate — all financial data collection is deemed lawful D) Contractual necessity — the PDPA applies only to non-contractual data

Question 14

MiCA — the Markets in Crypto-Assets Regulation — is the primary licensing framework for crypto-asset service providers operating in which jurisdiction?

A) United States B) United Kingdom C) Singapore D) European Union

Answer Key

Question 1 — Answer: C) European Union (DORA)

DORA is the most comprehensive statutory operational resilience framework for financial services globally. It imposes mandatory ICT risk management, incident reporting timelines, TLPT testing, and third-party risk management requirements through directly applicable EU Regulation. The UK PS21/3 framework is outcomes-based and principles-driven rather than prescriptive. Singapore's MAS TRM Guidelines are highly prescriptive but are guidelines rather than primary legislation. US FFIEC guidance is advisory and does not carry statutory force.

Question 2 — Answer: B) To directly supervise the highest-risk EU financial entities and issue binding AML technical standards

AMLA will assume direct supervisory responsibility for the highest-risk EU financial entities from 2026 and will issue binding technical standards that replace the current national-level implementation divergence across EU member states. AMLA does not replace FATF (which is a global inter-governmental body); it does not administer the UBO register; and it operates within the EU, not between the EU and US.

Question 3 — Answer: C) Bank Secrecy Act (BSA)

The BSA, enacted in 1970 and administered by FinCEN, is the primary federal AML framework in the US. The USA PATRIOT Act amended and significantly expanded the BSA but is not the primary legislation itself. Dodd-Frank addressed systemic risk and financial system reform. GLBA addressed financial privacy (Gramm-Leach-Bliley Act) but is not the AML framework.

Question 4 — Answer: B) FATF issues Forty Recommendations that establish global AML standards

FATF is an inter-governmental policy-making body. Its Forty Recommendations establish global standards for AML and counter-terrorist financing. Member jurisdictions are expected to implement these in national law and are subject to mutual evaluations to assess technical compliance and effectiveness. FATF does not directly supervise financial institutions, manage the UN sanctions list, or prosecute offenses.

Question 5 — Answer: C) AI and algorithmic governance in financial services

MAS's FEAT Principles — Fairness, Ethics, Accountability, and Transparency — are the MAS framework for AI and algorithmic governance in financial services. They are voluntary but carry supervisory weight. The MAS Veritas consortium develops practical tools for testing AI models against FEAT standards. FEAT does not govern AML, market surveillance, or data privacy directly.

Question 6 — Answer: B) The UK largely mirrors AMLD5 standards but develops in parallel and is not bound by AMLA's technical standards

Following Brexit, the UK transposed EU law into domestic legislation. The UK AML framework broadly mirrors AMLD5 but the UK is not subject to AMLD6 or the 2024 EU AML Regulation, and is not bound by AMLA's binding technical standards. The UK continues to develop its own AML guidance through JMLSG and FCA/HMRC. The UK has not aligned with the US BSA framework.

Question 7 — Answer: C) Any AI system placed on the EU market or used to affect EU residents, regardless of where the provider is established

The EU AI Act has explicit extraterritorial effect. It applies to providers and deployers of AI systems that place them on the EU market or put them into service in the EU, regardless of where those providers are established. A US-based company providing AI-powered credit decisioning to EU customers must comply with the EU AI Act for those services.

Question 8 — Answer: B) Regulations restrict transfers of personal data to countries lacking adequate protections, requiring regional infrastructure

EU GDPR, Singapore PDPA, and China PIPL restrict transfers of personal data to third countries unless specific conditions are met (adequacy decisions, SCCs, BCRs). This means personal data of residents in those jurisdictions cannot freely flow to data centers in other countries without meeting transfer requirements. Cloud platforms must support regional data residency to be compliant in these jurisdictions.

Question 9 — Answer: B) GDPR requires specific consent as a lawful basis; CCPA primarily provides an opt-out right for data sale

GDPR requires a lawful basis for all personal data processing; consent is one of six possible lawful bases and must be freely given, specific, informed, and unambiguous. CCPA does not require opt-in consent for most processing but gives California residents the right to opt out of the sale or sharing of their personal data. These are structurally different frameworks — not merely different thresholds for the same mechanism.

Question 10 — Answer: A) EU Market Abuse Regulation (MAR) and MiFIR Article 31

STOR — Suspicious Transaction and Order Reports — is a requirement under EU MAR. Article 31 of MiFIR requires trading venues to submit STORs to national competent authorities when they detect suspicious transactions or orders. UK MAR maintains an equivalent STOR regime post-Brexit. DORA governs ICT incidents, not market abuse reporting. FATF Recommendation 20 governs SAR filing for AML, not market abuse.

Question 11 — Answer: B) To create a comprehensive audit trail of order events across US equities and options markets

The Consolidated Audit Trail (CAT) requires broker-dealers and national securities exchanges to submit records of all order events — from order receipt through execution and cancellation — to a central CAT repository. This enables the SEC to reconstruct market activity across all venues. The CAT replaced the earlier OATS system and addresses a long-standing gap in cross-market surveillance.

Question 12 — Answer: C) US regulation remains sector-specific and guidance-based; no single statutory framework imposes equivalent obligations

The US financial regulatory system remains fragmented across multiple agencies (OCC, FDIC, Federal Reserve, CFTC, SEC, CFPB) and relies heavily on supervisory guidance rather than prescriptive statutory rules for technology and operational resilience. There is no US statute directly equivalent to DORA. US firms subject to DORA (because of their EU operations) must comply with DORA for those operations, but their US operations are not subject to DORA.

Question 13 — Answer: B) Consent is the foundational basis under the PDPA

Singapore's PDPA is fundamentally consent-based: organizations generally must obtain an individual's consent before collecting, using, or disclosing personal data. The 2021 amendments introduced deemed consent provisions and an additional legitimacy exception, but consent remains the primary basis. This differs from EU GDPR, which provides six lawful bases of which consent is one.

Question 14 — Answer: D) European Union

MiCA — the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) — is the EU's licensing framework for crypto-asset service providers and issuers of crypto-assets operating in the EU. It provides a single EU-wide license for CASPs. The US, UK, and Singapore each have separate regulatory frameworks for crypto-asset service providers, none of which is MiCA.