Chapter 35 Further Reading — Building a RegTech Program: Strategy, Governance, and Roadmapping
This reading list is organised by category and depth. Start with the Essential tier if you are new to RegTech program strategy; the Practitioner tier is recommended for those building or managing active programs; the Academic tier provides theoretical grounding for advanced study.
Essential Reading
Strategy and Operating Model Transformation
McKinsey & Company — "The compliance function at an inflection point" (McKinsey Global Banking Practice) The most widely cited industry analysis of compliance function transformation in large regulated institutions. Covers the transition from reactive compliance to proactive risk management, with quantitative analysis of compliance operating model maturity across global banks. Particularly relevant to Chapter 35's discussion of strategic orientations and the compliance-as-competitive-advantage thesis. Available at mckinsey.com (search "compliance function transformation financial services").
McKinsey & Company — "A new operating model for compliance" (McKinsey Financial Services) Companion piece to the above. Focuses specifically on the structural elements of compliance operating model design: centralized versus federated models, technology integration, talent implications. The discussion of the "compliance utility" model is directly relevant to Chapter 35's governance structures section. Available at mckinsey.com.
Oliver Wyman — "Compliance and RegTech: The Strategic Agenda" (annual report series) Oliver Wyman's annual compliance and RegTech market assessment provides the most rigorous industry-level data on RegTech investment patterns, implementation outcomes, and technology adoption rates. The 2023 and 2024 editions contain detailed data on tool utilisation rates (the "tool graveyard" phenomenon) and on governance structures at large and mid-size regulated institutions. Available at oliverwyman.com.
Maturity Frameworks
Deloitte — "The compliance maturity model: A framework for transforming compliance programs" (Deloitte Insights) Deloitte's proprietary compliance maturity framework is one of the most-used in practice. It differs in some respects from the framework in this chapter (Deloitte uses four stages rather than five) but the underlying logic is similar. Reading this alongside Chapter 35's framework will give you a sense of how different consulting firms approach the same diagnostic problem. Available at deloitte.com/insights.
KPMG — "Compliance Transformation: From Cost Centre to Value Driver" (KPMG Financial Services) KPMG's most recent (2024) white paper on compliance transformation articulates the business-driven strategic orientation — compliance as competitive advantage — with more financial services industry specificity than most academic treatments. The case studies in this paper, while anonymised, provide useful comparators to the Fenchurch and Cornerstone cases in Chapter 35.
FCA RegTech Publications
Financial Conduct Authority — "RegTech: Making Compliance Easier" (FCA Insight) The FCA's primary public statement on RegTech, outlining the regulator's perspective on technology in compliance, its engagement with the RegTech industry, and the areas where the FCA believes technology can most improve regulatory outcomes. This is essential reading for any practitioner working in the UK regulatory environment, both for its substantive content and for the signal it sends about supervisory expectations. Available at fca.org.uk.
Financial Conduct Authority — "Call for Input: Supporting the Development and Adoption of RegTech" (FCA) The FCA's formal consultation on RegTech development and adoption, including the results of the TechSprint program. Contains direct regulator perspectives on the maturity of the RegTech market and the barriers to adoption that the FCA has observed in its supervisory work. Directly relevant to Chapter 35's discussion of regulatory pressure as a driver of RegTech investment. Available at fca.org.uk.
Financial Conduct Authority — "Our approach to RegTech" (FCA Website — RegTech Page) The FCA maintains a dedicated RegTech page on its website, updated regularly, that describes its ongoing RegTech engagement activities, Digital Sandbox access, and TechSprint results. This page is a useful source of current FCA thinking and should be checked regularly by UK compliance practitioners. Available at fca.org.uk/innovation/regtech.
Practitioner Reading
Programme Management
Project Management Institute — "A Guide to the Project Management Body of Knowledge (PMBOK Guide)" (PMI, 7th Edition, 2021) The definitive reference for project and programme management methodology. Chapter 35 draws on PMBoK concepts for PMO design, steering committee structure, and escalation path design. Practitioners building RegTech programmes should be familiar with the PMBoK frameworks for governance, stakeholder management, and risk management, even if they choose to adapt or simplify them for their specific context. Available through PMI membership or commercial purchase.
PMI — "The Standard for Program Management" (PMI, 4th Edition) Distinct from the PMBOK (which focuses on individual projects), the Program Management Standard addresses multi-project programmes — the level at which most significant RegTech initiatives operate. The governance frameworks in this standard — particularly the Program Governance Board structure and the Program Management Plan requirements — are directly applicable to the RegTech PMO design discussed in Section 35.5.3. Available through PMI membership or commercial purchase.
Axelos — "Managing Successful Programmes (MSP)" (5th Edition, 2020) The UK government's programme management framework, widely used in the financial services industry alongside PMBoK. MSP's emphasis on "realising benefits" — ensuring that programme investments actually deliver the organisational benefits that justified them — is particularly relevant to the governance vacuum failure pattern in Chapter 35. The MSP benefits realisation approach directly addresses the post-production ownership problem that caused the Cornerstone case study outcome.
Agile Delivery in Regulated Environments
Scaled Agile, Inc. — "SAFe for Compliance" (Scaled Agile Framework) Agile delivery methods are increasingly used for RegTech programme delivery. The Scaled Agile Framework (SAFe) provides specific guidance on applying agile in regulated environments, including documentation requirements, audit trail maintenance, and change management in agile cadences. The "SAFe for Compliance" guide is available free at scaledagileframework.com.
Atlassian — "Agile for Compliance Teams" (Atlassian Blog and Guide) Practical guidance on applying agile delivery methods to compliance technology teams. The Atlassian documentation covers sprint planning, backlog management, and documentation practices that satisfy regulatory audit requirements — a common concern for compliance teams adopting agile delivery. Available at atlassian.com/agile.
Dan North — "Introducing BDD" and related writings on behaviour-driven development BDD (Behaviour-Driven Development) is increasingly used in RegTech development to bridge the language gap between compliance stakeholders who think in regulatory requirements and technology teams who think in system specifications. Understanding BDD's approach to specification — using "Given-When-Then" structures to describe system behaviour — helps compliance practitioners communicate requirements to technology teams more precisely.
Change Management
Kotter, J.P. — "Leading Change" (Harvard Business Review Press, 1996; updated 2012) The foundational text on organisational change management, Kotter's eight-step model is directly applicable to the change management challenges of RegTech programme deployment. Step 4 ("Communicate the vision") and Step 7 ("Consolidate gains and produce more change") are particularly relevant to the change management gap failure pattern described in Chapter 35. The case for urgent action (Step 1) maps directly onto the regulatory pressure argument in the RegTech business case.
Prosci — "ADKAR: A Model for Change in Business, Government and our Community" (Prosci, 2006) The ADKAR model (Awareness, Desire, Knowledge, Ability, Reinforcement) is the most widely used change management framework in enterprise technology deployments. RegTech practitioners should understand ADKAR's progression — change fails when any one of the five elements is absent — because it provides a diagnostic for the change management gap. The Cornerstone case study failure would be diagnosed in ADKAR terms as a failure at the "Reinforcement" stage: the system was deployed (Awareness, Knowledge, and Ability were partially in place) but management reinforcement of the new behaviour was absent.
Academic Reading
Organisational Capability Theory
Teece, D., Pisano, G., and Shuen, A. — "Dynamic Capabilities and Strategic Management" (Strategic Management Journal, 1997) The foundational paper on dynamic capabilities — the ability of an organisation to integrate, build, and reconfigure its competencies in response to changing environments. The RegTech program strategy's emphasis on building capability rather than buying tools is grounded in this framework: compliance capability is a dynamic capability that must be actively built, not simply purchased. This paper is highly cited and widely accessible through academic databases.
Barney, J.B. — "Firm Resources and Sustained Competitive Advantage" (Journal of Management, 1991) Barney's resource-based view of the firm provides the theoretical foundation for the business-driven strategic orientation in Chapter 35: the idea that compliance capability can become a source of sustained competitive advantage if it is valuable, rare, imperfectly imitable, and non-substitutable (the VRIN framework). For compliance and RegTech practitioners who want a theoretical grounding for the "compliance as competitive advantage" thesis, this paper is essential.
Technology Adoption
Venkatesh, V., et al. — "User Acceptance of Information Technology: Toward a Unified View" (MIS Quarterly, 2003) The Unified Theory of Acceptance and Use of Technology (UTAUT) model is the most widely validated framework for predicting and explaining technology adoption behavior. The model's four key determinants — performance expectancy, effort expectancy, social influence, and facilitating conditions — directly explain the change management gap failure pattern in Chapter 35. The "facilitating conditions" construct (the extent to which users believe infrastructure exists to support use of the system) is particularly relevant to the Cornerstone case study.
Rogers, E.M. — "Diffusion of Innovations" (5th Edition, Free Press, 2003) Rogers' diffusion of innovations framework — with its classic adopter categories of innovators, early adopters, early majority, late majority, and laggards — provides the population-level model that underlies Chapter 35's change management discussion. Understanding that adoption of a new compliance system will follow a diffusion curve, and that the late majority and laggards will require different interventions from innovators and early adopters, is practically valuable for programme change management planning.
Regulatory Technology Specifically
Arner, D.W., Barberis, J., and Buckley, R.P. — "FinTech, RegTech, and the Reconceptualisation of Financial Regulation" (Northwestern Journal of International Law & Business, 2017) The most-cited academic paper on RegTech's relationship to financial regulation. The paper's framing of RegTech as a response to the "regulatory gap" created by FinTech innovation is foundational to understanding why RegTech programs need to be linked to specific regulatory obligations rather than to general technological capability. Available through academic databases and SSRN.
Broeders, D. and Prenio, J. — "Innovative Technology in Financial Supervision (SupTech) — The Experience of Early Users" (FSI Insights, BIS, 2018) This BIS Financial Stability Institute paper examines how regulators themselves are adopting technology for supervision (SupTech), which is the mirror image of RegTech. Understanding how regulators are using technology to supervise firms — including transaction data analysis, automated report review, and machine learning for risk identification — provides important context for why regulatory data quality requirements are increasing, and why the audit trail completeness dimension of the maturity assessment is becoming more critical.
Regulatory Sources Reference
| Document | Issuer | Relevance to Chapter 35 |
|---|---|---|
| FCA Handbook — SYSC 6 (Compliance) | FCA | Sets out UK regulatory requirements for compliance function design and resourcing — the regulatory obligation context for RegTech program strategy |
| FCA Handbook — SYSC 8 (Outsourcing) | FCA | Relevant to build/buy/borrow analysis — outsourcing requirements for material compliance technology |
| SS1/21: Outsourcing and Third Party Risk Management | PRA | PRA's detailed guidance on operational resilience and third-party risk — relevant to vendor selection and management |
| FCA Consumer Duty: Final Rules and Guidance (PS22/9) | FCA | Sets out Consumer Duty monitoring expectations — direct source for the monitoring effectiveness maturity dimension |
| EBA Guidelines on ICT and Security Risk Management | EBA | European regulatory baseline for technology governance in banks — relevant to technology governance design |
| BCBS Principles for the Sound Management of Operational Risk | BCBS | Basel framework for operational risk management — provides the risk management context for RegTech program governance design |
| BIS Working Paper: "The changing landscape of financial supervision" | BIS | Contextualises supervisory technology trends and expectations — helpful for understanding how regulators assess firms' RegTech maturity |
Online Resources and Communities
FCA Innovation Hub (fca.org.uk/innovation) The FCA's primary digital resource for RegTech and innovation. Contains information on the Digital Sandbox, Project Innovate, and TechSprint outcomes. Updated regularly with new publications and engagement opportunities. Essential bookmark for UK RegTech practitioners.
Financial Stability Board — FSB FinTech and RegTech Pages (fsb.org) The FSB's cross-jurisdictional work on FinTech and RegTech, including coordination with IOSCO, BCBS, and national regulators. Relevant for practitioners working across multiple jurisdictions or for understanding international regulatory expectations for technology governance.
RegTech Association (theregtech.com) Industry body for RegTech practitioners and vendors. Provides practitioner community, case study library, and event programme. The RegTech Association's annual State of RegTech report contains market-level data on implementation patterns and failure rates that is useful for benchmarking.
BIS Financial Stability Institute (bis.org/fsi) The FSI publishes accessible practitioner-focused papers ("FSI Insights") on regulatory technology, supervisory practice, and compliance challenges. The paper on SupTech (referenced above) is one of many relevant publications. The FSI Connect online learning tool also covers RegTech topics. Available at bis.org/fsi.
ISDA Tech & Data (isda.org/category/technology) ISDA's technology and data working groups produce frameworks, protocols, and standards relevant to derivatives reporting, data quality, and regulatory automation. Particularly relevant for practitioners working on trade reporting or derivatives compliance RegTech programs.
Compliance Week (complianceweek.com) Trade publication covering compliance and RegTech news, case studies, and analysis. The annual Compliance Week conference features practitioner presentations on RegTech program design and outcomes that provide useful real-world benchmarks.
RegTech Analyst (regtechanalyst.com) Specialist research and journalism covering the RegTech vendor and buyer landscape. Useful for current market intelligence on vendors, investment trends, and implementation news.
Suggested Reading Pathway by Role
| Role | Priority Reads |
|---|---|
| CCO / Head of Compliance building a new RegTech programme | FCA RegTech publications; McKinsey compliance function transformation; Deloitte maturity framework; Kotter "Leading Change" |
| RegTech programme manager or PMO lead | PMBoK 7th edition; MSP 5th edition; Prosci ADKAR; SAFe for Compliance |
| CTO or CIO with compliance technology portfolio responsibility | Oliver Wyman "Compliance and RegTech"; BCBS operational risk principles; BIS SupTech paper; EBA ICT guidelines |
| RegTech consultant or advisor | Arner et al. "FinTech, RegTech, and Reconceptualisation"; Teece et al. "Dynamic Capabilities"; Venkatesh et al. UTAUT; all FCA publications |
| Board member or non-executive director overseeing compliance capability | McKinsey "compliance function at inflection point"; FCA Consumer Duty guidance; FSB RegTech pages; Barney "Firm Resources and Sustained Competitive Advantage" |
| Graduate student or early-career practitioner | Arner et al. (foundational academic); Rogers "Diffusion of Innovations"; FCA RegTech pages; Deloitte maturity framework; then expand to practitioner tier |
The further reading list is current as of the 2024–2025 publication date of this chapter. The RegTech academic and practitioner literature is growing rapidly; readers should also search Google Scholar and SSRN for recent working papers on regulatory technology adoption, compliance operating model transformation, and SupTech, as this literature is being updated continuously.