Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping

Four applied exercises. Each exercise is designed to develop a specific practical skill from this chapter. Exercises can be completed individually or in groups. Suggested time allocations are provided.

Exercise 35.1 — Conducting a Compliance Maturity Assessment

Skill developed: Applying the five-dimension maturity model to assess an organisation's current compliance technology capability

Suggested time: 45–60 minutes

Format: Individual analysis and written assessment report

Scenario

Meridian Wealth Management is a UK-regulated investment adviser with £12 billion AUM, serving high-net-worth individual and family office clients. The firm has been in operation for 22 years and has a staff of 340 people, of whom 28 work in the compliance and risk function.

You are a RegTech consultant called in following a routine FCA supervision visit during which the supervisor noted "concerns about the robustness of the firm's compliance monitoring infrastructure" and requested a written response within 45 days. In your first week, you gather the following information:

About the firm's compliance technology: - Client onboarding documentation is collected through a third-party document portal, but risk ratings are assigned manually by relationship managers using a PDF checklist. The checklist was last updated in 2019. - AML transaction monitoring is performed by the compliance team using a monthly data extract from the custody system, reviewed in Excel against a set of red flag criteria written in a Word document. No automated monitoring system is in place. - Regulatory reports (MIFID II reporting, COBS 16A reports, occasional SYSC reports) are produced manually by the Head of Compliance and one senior associate. Report production involves pulling data from three separate systems, reconciling manually, and formatting in Excel. - The firm has a compliance management system (CMS) deployed in 2021 for policy management and training records. It is actively used for both purposes and is well-maintained. - Audit trail: Compliance decisions are documented by email, filed in a shared compliance folder. Email archiving is in place. The shared folder has no access controls; anyone at the firm can access it.

About data quality: - The client master is maintained in the CRM system. The Head of Compliance estimates that approximately 30% of client records are missing one or more required fields (primarily source of wealth documentation references and beneficial ownership confirmations for entities). These gaps are known but have not been systematically remediated. - The firm has no data governance policy. Data quality is assessed informally, when problems surface.

About reporting: - The last MIFID II transaction report contained three errors identified by the FCA's data quality report. The errors were corrected on resubmission. No formal root cause analysis was conducted. - Board compliance reporting consists of a monthly one-page narrative written by the Head of Compliance. No metrics, key risk indicators, or trend data are included.

About monitoring: - The firm has no real-time compliance monitoring. The monthly transaction monitoring review is the only systematic monitoring activity. - The Head of Compliance meets weekly with each relationship manager team to discuss any compliance questions. These meetings are not structured; issues are raised informally.

Task

Using the five-dimension maturity framework from Section 35.3:

Part A: Score each of the five dimensions (Process Automation, Data Quality, Reporting Capability, Monitoring Effectiveness, Audit Trail Completeness) on a 1–5 scale. For each score, write two to three sentences citing the specific evidence from the scenario that supports your score.

Part B: Calculate the overall maturity score and identify the maturity stage (Ad Hoc, Reactive, Defined, Managed, or Optimized).

Part C: Identify the two lowest-scoring dimensions and, for each, list three specific gaps that would need to be closed to advance to the next maturity stage.

Part D: Write a four to six sentence summary of your maturity assessment finding that you would present to the firm's management committee. Your summary should describe the current state honestly, identify the most critical gaps, and set an appropriate expectation for the remediation programme.

Reflection Questions

After completing the assessment: 1. Were there any areas where the evidence was ambiguous and your scoring depended on judgment calls? How did you handle those ambiguities? 2. The Head of Compliance at Meridian has been with the firm for 18 years. She is proud of the compliance programme she has built and believes it is robust. How would you approach sharing these findings with her in a way that is honest but constructive? 3. If the firm's self-assessment had been conducted without external oversight, which dimensions would you expect to be most over-reported? Why?

Exercise 35.2 — Stakeholder Mapping for a RegTech Programme

Skill developed: Identifying, categorising, and analysing the stakeholder landscape for a RegTech initiative; diagnosing potential sources of resistance and developing management strategies

Suggested time: 40–50 minutes

Format: Stakeholder map and written analysis

Scenario

Hartfield Insurance Group is a UK composite insurer (general and life insurance) with 1,800 staff and approximately £4 billion in gross written premium. The firm is planning a RegTech programme to address three regulatory requirements that its current compliance infrastructure does not adequately support:

  1. Solvency II Pillar III reporting: Currently produced manually in Excel with significant staff time involvement. Last year's SFCR submission contained two material errors that required resubmission.
  2. Consumer Duty monitoring: The FCA has indicated in recent supervisory communications that it expects near-real-time monitoring of Consumer Duty outcome metrics. Hartfield currently produces a quarterly summary report prepared manually.
  3. Financial crime risk management: A recent thematic review by the FCA identified gaps in the firm's transaction monitoring for insurance premium finance. The firm has been given 90 days to submit a remediation plan.

The following individuals have been identified as relevant to the programme:

  • Sarah Okonjo — Chief Risk Officer (CRO): Has direct accountability for Solvency II Pillar III reporting. Is sponsoring the programme. Has a history of successful technology implementations but is known to be protective of her team's independence.
  • James Whitfield — Chief Compliance Officer (CCO): Owns Consumer Duty and financial crime obligations. Is not the programme sponsor (the CRO holds that role, which Whitfield privately considers a slight). Has less technology experience than Okonjo.
  • Elena Patel — Group CTO: Will be responsible for all technology delivery. Has a large backlog of technology projects across the firm. RegTech is not her highest priority. Has a strong preference for in-house builds over vendor solutions.
  • Marcus Webb — Head of Actuarial (and his team of 12): Currently produces the Solvency II reports. Has invested significant personal time in the existing Excel models. Is concerned that a new system will make his team's skills redundant.
  • Danielle Frost — Head of Retail Distribution: Responsible for the customer-facing operations most relevant to Consumer Duty. Has raised concerns that real-time monitoring will create "compliance theatre" — dashboards that don't reflect genuine customer outcomes.
  • Finance Director (name not given): Holding the budget. Has approved the business case in principle but has asked for monthly spending reviews. Does not understand why the business case assumes 36 months of value realisation for an investment that will be delivered in 18 months.
  • Internal Audit: Has been asked to provide assurance on the programme but has not yet agreed the scope of their involvement.
  • The FCA (regulator): Has issued the 90-day window for the financial crime remediation plan. Expects a credible response.

Task

Part A: Classify each stakeholder (or stakeholder group) into one of the four categories from Section 35.4.4: Must Approve, Must Execute, Must Support, or Can Block. Note that some stakeholders may fall into multiple categories; where this is the case, explain your reasoning.

Part B: For each stakeholder classified as "Can Block," write a brief analysis (three to five sentences) of: (a) why they have blocking power, (b) what their primary concern is, and (c) what engagement strategy you would recommend to convert them from a potential blocker to a supporter.

Part C: Identify the two most significant governance risks in this stakeholder landscape. For each risk, describe the governance mechanism or explicit agreement you would recommend to mitigate it.

Part D: The FCA is listed as a stakeholder but is in a fundamentally different category from all the others. Explain how the FCA's status as a regulatory stakeholder changes the programme's decision calculus in ways that an internal stakeholder cannot.

Reflection Questions

  1. The programme has two potential co-owners (the CRO and the CCO) who have a difficult relationship around programme ownership. How does the stakeholder landscape affect your governance design recommendation?
  2. Marcus Webb's concern that the new system will make his team's skills redundant is a very common response to compliance automation. Is this concern legitimate? How should the programme address it?

Exercise 35.3 — Designing a Three-Horizon RegTech Roadmap

Skill developed: Constructing a sequenced, dependency-aware RegTech roadmap using the three-horizon framework; applying the data-first principle and prioritisation criteria

Suggested time: 50–60 minutes

Format: Written roadmap with rationale

Scenario

Bramblewood Bank is a UK challenger bank (SME lending and deposits) with approximately £2.1 billion in total assets, authorised by the PRA and FCA. The bank has been operating for five years and has grown rapidly. Its compliance function has grown reactively — adding tools and people in response to specific regulatory requirements as they arose — and the result is a fragmented technology estate and a compliance team that is stretched thin.

The bank's new CCO, appointed four months ago, has commissioned a maturity assessment. The results:

  • Process Automation: 2/5. KYC is partially automated (document collection is digital; risk ratings and PEP/sanctions checks are automated via a vendor platform). Periodic KYC review is manual and backlogged (estimated 14% of customers overdue for refresh). Transaction monitoring is automated through a standard-configuration AML platform deployed in 2021, but alert thresholds have not been reviewed since deployment.
  • Data Quality: 2/5. SME customer data has significant gaps in UBO fields (estimated 31% of entity customers have incomplete beneficial ownership records). The customer master is duplicated across the core banking system and the CRM; the two copies are out of sync for approximately 8% of records.
  • Reporting Capability: 3/5. Regulatory reports are produced through a combination of automated generation and manual adjustment. The bank's CMAR and COREP reports are generated automatically; the AML suspicious activity and transaction reports are manually prepared.
  • Monitoring Effectiveness: 2/5. Transaction monitoring alert volume is high; estimated false positive rate 89%. The monitoring team processes approximately 340 alerts per week, of which approximately 30 result in escalation. The head of the monitoring team reports that genuine suspicious activity is likely being missed due to alert fatigue.
  • Audit Trail Completeness: 3/5. Core compliance activities are logged. Decision documentation for KYC risk rating overrides is inconsistent. Voice recording retention has a gap: calls prior to 2022 were not captured by the current system and are stored on a legacy platform with no practical retrieval capability.

The bank's three most pressing regulatory concerns (from the CCO's risk assessment): 1. The PRA has written to all challenger banks asking for evidence of robust operational resilience frameworks, with a response deadline of four months 2. The FCA's upcoming Consumer Duty implementation report requires the bank to demonstrate near-real-time monitoring of Consumer Duty outcomes by mid-year (approximately seven months away) 3. The 31% UBO data gap creates material money laundering risk exposure and is likely to be flagged in the next AML supervisory visit

Available budget: The management committee has approved £800,000 for a twelve-month programme, with a further review at month twelve for the second year.

Task

Part A: Apply the three prioritisation criteria from Section 35.6.4 (regulatory risk weight, value/effort matrix, dependency order) to rank the three regulatory concerns. Which should be addressed first in the roadmap?

Part B: Apply the data-first principle to identify which data quality issues must be addressed before which capability investments. Create a dependency map that shows the sequence: which data items must be remediated before which analytics or reporting capabilities can be built.

Part C: Design a three-horizon roadmap for Bramblewood Bank. For each horizon, specify: - The horizon duration - The specific activities included - The rationale for including those activities at that horizon (i.e., why this activity is a quick win versus a capability build, and what dependencies it satisfies or requires) - The success criteria that define completion of that horizon

Part D: The budget is £800,000 for twelve months. Make a high-level allocation of budget across Horizon 1 and Horizon 2 activities (Horizon 3 is beyond the twelve-month approval window). Explain your allocation rationale. Identify any activities that you would defer or descope if the budget were reduced by 20%.

Reflection Questions

  1. The transaction monitoring false positive rate is 89%, and the head of the monitoring team has flagged genuine suspicious activity risk from alert fatigue. How does this affect your roadmap sequencing?
  2. The four-month PRA deadline and the seven-month FCA Consumer Duty deadline create competing resource pressures. How do you resolve this conflict in the roadmap?
  3. What is the minimum data quality threshold you would require for the UBO field before deploying an enhanced beneficial ownership analytics capability?

Exercise 35.4 — Building the RegTech Business Case

Skill developed: Constructing a quantified financial justification for a RegTech investment using the four value categories and cost-of-status-quo analysis; performing sensitivity analysis on key assumptions

Suggested time: 45–55 minutes

Format: Structured business case document with financial model

Scenario

Northgate Payments Limited is an FCA-authorised payment institution processing approximately £8 billion in transactions annually for business clients. The firm has 220 staff and a compliance function of 14 people. The CFO has asked the CCO to build a financial business case for a proposed investment in a new AML transaction monitoring platform. The proposal involves:

  • Replacing the existing rule-based transaction monitoring system (procured in 2018) with a machine learning-enhanced platform
  • Estimated total cost of the new platform over three years: £680,000 (£120,000 implementation, £180,000 year one, £190,000 year two, £190,000 year three including ongoing maintenance and licensing)
  • Estimated implementation timeline: six months to full production

The CCO has gathered the following data about the current state:

Staff costs: - The monitoring team consists of 6 analysts (average fully-loaded cost: £62,000 per year) and one lead (£78,000 per year) - Each analyst processes approximately 45 alerts per day; the lead spends approximately 40% of their time on alert review - The team estimates that genuine suspicious activity accounts for approximately 1.5% of total alerts (the rest are false positives) - On average, each genuine suspicious activity case requires approximately 4 hours of investigation time including SAR preparation; each false positive requires approximately 22 minutes of review time - The team also spends approximately 15% of their time on periodic recalibration of monitoring rules — a manual, labour-intensive process

Error and remediation costs: - In the past two years, the firm has had two instances of suspicious activity identified by external parties (a counterparty bank's correspondent banking review) that the firm's own monitoring had not flagged. In each case, the firm conducted an internal look-back review. Average cost of a look-back review (staff time, legal advice, external consultant): £85,000 - The current system generates approximately 12 regulatory notifications per year related to AML reporting quality; each notification requires senior management time and external legal review. Average cost per notification: £8,500

Vendor claims for the new platform: - The ML-enhanced platform has reduced alert volumes by 55–65% at comparable institutions (reducing false positives substantially while maintaining or improving detection of genuine suspicious activity) - Rule recalibration time is reduced by approximately 80% through automated model retraining

Task

Part A: Cost-of-status-quo analysis. Calculate the fully-loaded annual cost of the current AML transaction monitoring process, including: - Total staff cost attributable to alert review (base this on the alert volumes and time-per-alert data above) - Expected annual cost of look-back reviews (based on the historical frequency above) - Annual cost of regulatory notifications - Identify any costs that are not yet quantified and describe how you would estimate them

Part B: Cost-efficiency value calculation. Based on the vendor's claimed alert volume reduction (use the midpoint of the 55–65% range), calculate: - The reduced staff requirement in the monitoring function post-deployment (assuming current headcount fully reflects current alert volume) - The annual cost saving from reduced staff time - The net annual saving after deducting annual platform cost (year two and three, post-implementation)

Part C: Risk reduction value calculation. Calculate the expected value of the risk reduction benefit, using: - Baseline: 2 look-back reviews per year at £85,000 each; assume the new platform's improved detection rate reduces this frequency by 70% (i.e., from 2 per year to 0.6 per year) - Regulatory notifications: assume a 50% reduction in regulatory notification frequency due to improved reporting quality - Add: one scenario analysis estimating the risk reduction value from avoiding a potential FCA enforcement action. Research or estimate a realistic enforcement cost for an AML monitoring failure at a payment institution of this size, and apply a probability of occurrence under the current system versus the new system.

Part D: Total ROI and payback period. Combine the cost efficiency and risk reduction values to produce: - A total three-year NPV for the investment (use a 7% discount rate) - The simple payback period (when do cumulative benefits exceed cumulative costs?) - The benefit-cost ratio

Part E: Sensitivity analysis. Identify the three assumptions in your model that most heavily drive the total value. For each assumption, calculate what happens to the payback period if that assumption is 30% worse than your central case. Present this as a sensitivity table.

Part F: Non-financial value. Identify any value categories that your financial model does not capture (regulatory relationship, speed to market, staff retention and morale). For each, write two to three sentences explaining why the value is real even though it is not captured in the financial model, and how you would communicate it to the CFO.

Reflection Questions

  1. The vendor's alert volume reduction claim is based on "comparable institutions." What additional due diligence would you do to validate this assumption before including it in a business case presented to the CFO?
  2. The business case shows a strong positive ROI under central case assumptions. Should this automatically mean the investment proceeds? What non-financial or governance factors might justify a more cautious recommendation?
  3. The CFO asks: "What if the new system's ML model produces a different type of false negative — one that's less obvious, harder to detect, and creates a different compliance risk?" How do you respond?

These exercises are designed to be completed in sequence (35.1 through 35.4) as they build cumulatively on each other: assessment (35.1) informs stakeholder mapping (35.2), which informs roadmap design (35.3), which informs business case construction (35.4). They may also be completed independently if you are focusing on a specific skill area.