Chapter 39: Exercises — The Future of RegTech
Exercise 39.1: RegTech Trend Radar Construction
Type: Individual or pair analysis exercise Estimated time: 60–90 minutes Prerequisite: Read Section 2 (SupTech), Section 3 (Digital Regulation), and Section 4 (LLMs) of Chapter 39
Scenario
Stonehaven Mutual is a UK-based building society with approximately £4.2 billion in assets, 180,000 mortgage customers, and 85,000 savings account holders. The compliance function has twelve staff: a CCO, two deputy compliance officers (one specializing in regulatory reporting, one in AML/financial crime), five compliance managers covering specific business lines, three compliance analysts, and a recently hired data analyst who supports regulatory reporting.
Stonehaven's current technology position: - Core banking system: legacy on-premises platform, 11 years old, under a replacement program expected to complete in 24 months - Regulatory reporting: largely manual, XBRL submissions prepared via spreadsheet with an automated validation layer - AML monitoring: a rules-based transaction monitoring platform installed seven years ago; no ML component - KYC: semi-automated — digital document capture but manual verification review - Regulatory intelligence: no dedicated tool; two compliance analysts read regulatory publications and circulate summaries via email - Data governance: a data governance framework was approved eighteen months ago but implementation is at approximately 40% completion
Stonehaven is regulated by the FCA and the Prudential Regulation Authority. Its key reporting obligations include: FCA regulatory returns via GABRIEL; PRA supervisory returns; CBTL (Consumer Buy-to-Let) reporting; MMIF (mortgage market data reporting); and annual ICAAP and ILAAP submissions.
Your Task
Using the RegTechTrend and TrendRadar framework from the chapter (see the Python code example), construct a written RegTech Trend Radar for Stonehaven Mutual. Your radar must:
Part A — Trend Identification and Classification (40%)
Identify and analyze at least eight RegTech trends that are relevant to Stonehaven's situation. For each trend, determine:
- The trend name and a one-paragraph description of what it is and why it matters for Stonehaven specifically
- The time horizon (NOW: 0–2 years; NEAR: 2–5 years; FAR: 5–10 years)
- The confidence level (high/medium/low) with a one-sentence justification
- The regulatory driver (specific regulatory instrument, regulator program, or market development)
- The impact areas for Stonehaven (regulatory reporting, AML, KYC, data governance, etc.)
Part B — Readiness Action Recommendations (40%)
For each trend, specify the recommended readiness action (Monitor / Assess capability gaps / Run a pilot / Implement now) and provide a two-to-three sentence justification. Your justification should be specific to Stonehaven's described situation — consider the legacy core banking system replacement timeline, the partially implemented data governance framework, and the compliance team's current composition.
Part C — Prioritization Rationale (20%)
Identify the three trends you would recommend Stonehaven address first, and explain in a short paragraph (200–300 words) the prioritization rationale. Consider regulatory urgency (what is the FCA/PRA expecting?), organizational readiness (what can Stonehaven actually do given its current state?), and risk exposure (what is the cost of being behind?).
Guiding Questions
- How does Stonehaven's 24-month core banking replacement program affect your trend horizon assessment and readiness recommendations? Are there trends where the timing of that replacement creates either an opportunity or a constraint?
- The FCA's DRR initiative moves toward API-based data access. Stonehaven's regulatory reporting is currently spreadsheet-based with an automated validation layer. What does "Implement now" for DRR readiness actually mean for an institution in this position?
- Stonehaven has a data analyst who joined recently. How should this person's role evolve over the three-year horizon covered by the NOW trends you identify?
Exercise 39.2: SupTech Readiness Assessment
Type: Individual written assessment Estimated time: 45–60 minutes Prerequisite: Read Section 2 (SupTech) of Chapter 39
Scenario
Meridian Capital Management is a US-registered investment adviser and broker-dealer with AUM of $8.7 billion. Rafael Torres, as a consultant brought in to support a compliance technology review, has been asked to assess Meridian's readiness for potential SEC and FinCEN SupTech initiatives — specifically, any scenario in which US regulators move toward API-based direct data access for investment adviser or broker-dealer transaction and position data.
Meridian's relevant data environment:
- Trade data: Fully electronic, stored in a modern order management system (OMS) that has REST API capabilities. Trade records are available in standardized FIX format. Data latency from execution to system availability is under 5 minutes.
- Position data: Aggregated from the OMS and three prime brokers via end-of-day reconciliation feeds. Current system: a combination of the OMS and a spreadsheet-based reconciliation process that a compliance analyst runs each morning.
- Client data: CRM system with good data completeness for retail and institutional clients. KYC records: stored in a mix of the CRM and PDF scans in a document management system. Not currently structured for API access.
- AML transaction monitoring: A third-party platform that produces alerts; alert data is stored in the platform's proprietary database. Data export is possible but requires manual initiation by a compliance staff member.
- SAR data: Stored in case management records within the AML platform and referenced in a spreadsheet log maintained by the AML analyst.
- Regulatory reporting: FOCUS reports prepared quarterly by the finance team, with compliance review; form ADV maintained in the SEC's EDGAR system; suspicious activity reports filed via FinCEN's BSA E-Filing system.
Your Task
Prepare a SupTech Readiness Assessment for Meridian Capital. Structure your assessment as follows:
Section 1 — Data Access Readiness Matrix
For each data category listed above (trade data, position data, client data, AML monitoring, SAR data, regulatory reporting), assess:
- Current API accessibility (Ready / Partially ready / Not ready)
- Data quality assessment (Clean and consistent / Inconsistent / Unknown)
- The primary gap to be closed before direct regulatory access would be appropriate
- Estimated effort level to close the gap (Low / Medium / High)
Present this as a structured table.
Section 2 — Priority Findings
Based on the matrix, identify the two most material readiness gaps — the areas where Meridian's data environment is most exposed in a SupTech direct access scenario. For each finding, write a short paragraph (150–200 words) explaining: - Why this is a priority gap (not just that it exists, but why it matters) - What a regulator would see if they queried this data today - What Meridian needs to do to close the gap
Section 3 — The Spreadsheet Risk
The position data reconciliation process relies on a daily spreadsheet process run by one compliance analyst. Write a 200-word analysis of the specific risk this creates in a SupTech context, and recommend the specific remediation approach.
Section 4 — Recommendation to Rafael
Based on your assessment, what would you recommend Rafael tell Meridian's CCO? Draft the key points of a one-page executive briefing (bullet format, no more than 300 words) that conveys: - Overall readiness posture (1–2 sentences) - Top three action priorities - Timeline recommendation
Guiding Questions
- If the SEC were to pilot an API-based data access program tomorrow and Meridian were selected, which data categories would be straightforward to expose and which would create supervisory findings?
- The chapter argues that SupTech reveals the gap between what a firm reports and what its data actually shows. Is there any such gap apparent in Meridian's described data environment?
- How should the compliance team prioritize closing SupTech readiness gaps against other competing priorities (e.g., annual regulatory filings, client onboarding workload, examination preparation)?
Exercise 39.3: LLM Use Case Analysis
Type: Group or individual classification exercise Estimated time: 45 minutes Prerequisite: Read Section 4 (LLMs) of Chapter 39
Overview
The table below lists 12 compliance tasks at Verdant Bank that Maya's team has discussed as potential candidates for LLM assistance. Your task is to classify each task into one of three categories and provide a brief justification.
Categories: - SAFE WITH CONTROLS: LLM assistance is appropriate, but specific controls must be in place. Identify what those controls are. - UNSAFE: LLM assistance is not appropriate for this task in its described form. Explain why. - CONDITIONAL: Appropriateness depends on factors not specified. Identify what those factors are and how they would determine the classification.
Tasks for Classification
| # | Compliance Task | Description |
|---|---|---|
| 1 | FCA regulatory update summaries | Weekly summarization of FCA publications, circulated to compliance team via internal newsletter |
| 2 | SAR decision (file or not file) | Determining whether a transaction alert requires SAR submission based on case notes and alert data |
| 3 | First draft of SAR narrative | Generating a structured first-draft SAR narrative from a completed case investigation file |
| 4 | Policy gap analysis report | Comparing Verdant's AML policy suite against JMLSG Guidance and identifying uncovered areas |
| 5 | Response to FCA supervisory letter | Drafting Verdant's formal response to an FCA Dear CEO Letter on financial crime controls |
| 6 | New employee compliance training module | Drafting scenario-based compliance training content for new joiners |
| 7 | Customer due diligence risk rating | Assigning a risk rating to a new business customer based on submitted KYC documents |
| 8 | Regulatory horizon scanning briefing to ExCo | Producing a monthly briefing on material regulatory developments for the Executive Committee |
| 9 | Contract review for standard vendor agreement | Reviewing standard terms in a new AML vendor contract to identify missing regulatory obligations |
| 10 | Determining applicable regulation for new product | Advising on which FCA permissions and rules apply to a proposed new financial product |
| 11 | Drafting compliance FAQ for staff intranet | Generating a list of common compliance questions and plain-English answers for the staff intranet |
| 12 | Model validation of a new AML scoring model | Assessing whether a new ML-based risk scoring model meets validation standards under the firm's model risk framework |
Your Task
Part A: For each task, assign a category (Safe with Controls / Unsafe / Conditional) and provide a 2–4 sentence justification.
Part B: Based on your classifications, identify the two tasks where you feel most uncertain about the appropriate category, and write a short paragraph (150 words) for each explaining what additional information would help you reach a more confident classification.
Part C: Write a short policy statement (200–250 words) in the form of a Verdant Bank internal guidance note entitled "LLM Tools in Compliance: Permitted and Restricted Uses." The guidance note should be drafted for compliance staff (not technologists), should be clear and direct, and should avoid being either so permissive that it enables unsafe use or so restrictive that it prevents the efficiency gains the tools provide.
Guiding Questions
- What is the relevant distinguishing factor between tasks 3 (SAR narrative drafting) and task 2 (SAR decision)? Both involve the same underlying AML case. Why do they have different LLM appropriateness profiles?
- Task 10 (determining applicable regulation for a new product) requires LLM access to current regulatory text. Even with a well-curated regulatory knowledge base, what specific risks remain that make this task different from task 1 (regulatory update summaries)?
- How does accountability change the analysis? For tasks where the firm's regulatory relationship or a specific regulatory submission is at stake, how should that affect the classification?
Exercise 39.4: Compliance Skills Gap Analysis
Type: Individual written analysis Estimated time: 60 minutes Prerequisite: Read Section 7 (What This Means for Compliance Professionals) of Chapter 39
Scenario
Cornerstone Financial Group's Group Compliance Director has asked you (a consultant, in the role of Priya Torres) to conduct a skills gap analysis of the Group Compliance function against a "2030 readiness" profile — assessing where the current team has the capabilities required for the next five years and where development is needed.
The team: 14 compliance professionals
| Name | Role | Background | Current Strengths | Technology Experience |
|---|---|---|---|---|
| Amara | Group Compliance Director | 18 years in compliance, ex-regulator (5 years at FCA) | Regulatory relationships; regulatory interpretation; strategic communication | Limited — comfortable with standard compliance platforms, limited data skills |
| James | Deputy Director, Financial Crime | 12 years AML/sanctions; ex-FinCEN | Deep FATF knowledge; SAR quality; sanctions program | Moderate — has worked with transaction monitoring platforms; no ML experience |
| Sunita | Head of Regulatory Reporting | 8 years in regulatory reporting | XBRL; EBA technical standards; Basel reporting expertise | Good — data-comfortable; has led two reporting automation projects |
| David | Head of Trading Compliance | 14 years in trading/markets | MiFID II; best execution; market abuse expertise | Limited — uses trade surveillance platform but doesn't understand the models |
| Fatima | Compliance Manager, Retail Banking | 6 years compliance, joined from legal | Consumer Duty; product governance; complaints | Limited — standard compliance tools only |
| Marcus | Compliance Manager, Technology Risk | 3 years compliance; CS degree | Technology risk; IT audit liaison; cybersecurity compliance | Strong — genuine technical background; able to work with developers |
| Anika | Compliance Manager, ESG | 2 years compliance; Masters in Environmental Law | CSRD; sustainability disclosure; green claims | Limited — no data or technology background; ESG data is entirely manual |
| Rajesh | AML Analyst | 5 years AML | Transaction monitoring alert review; typology research | Moderate — comfortable with the TM platform; no data skills beyond standard queries |
| Yemi | Regulatory Intelligence Analyst | 3 years compliance | Horizon scanning; regulatory tracker maintenance | Beginning — just started using an LLM summarization tool; enthusiasm but no governance knowledge |
| Chen | Data Analyst (Compliance) | 1 year in compliance; 3 years as data analyst | Data visualization; SQL; Python basics; dashboard development | Strong — the team's data resource |
| Priya (different from narrator) | Compliance Analyst | 2 years compliance | Generalist; policy review; training delivery | Developing — has completed an online AI course; interested in technology |
| Kofi | Compliance Analyst | 1 year compliance | Junior generalist | Limited — standard tools only |
| Nadia | Compliance Analyst | 2 years compliance; ex-financial services audit | Audit methodology; documentation | Moderate — audit tools; some data background |
| Stefan | Legal/Regulatory Counsel | 7 years; dual role compliance/legal | Regulatory interpretation; contract review; regulatory correspondence | Limited — Word, email, standard tools |
Your Task
Part A — Individual Assessments (50%)
For each of the fourteen compliance professionals, produce a brief skills gap assessment (3–5 sentences) that: - Identifies their most significant current strength relative to 2030 needs - Identifies their most significant skills gap relative to 2030 needs - Recommends one specific development action for the next 12 months
You do not need to write at length for each — this should be a structured, efficient assessment, not a detailed narrative.
Part B — Team-Level Analysis (30%)
Based on your individual assessments, answer the following at the team level:
- Where are the team's collective strengths? Which 2030 capability areas are already adequately covered?
- Where are the team's collective gaps? Which 2030 capability areas are most underserved?
- Which two roles represent the highest strategic priority for development investment, and why?
- Is there a systemic skill the whole team needs, regardless of role? What is it, and how would you address it at scale?
Part C — Recommendation to Amara (20%)
Draft a 300-word executive summary for Amara (Group Compliance Director), addressed to her in the role of report recipient. The summary should: - Characterize the team's overall 2030 readiness posture - Identify the top three priorities for the next 12 months - Flag any roles where external hiring may be needed to fill gaps that internal development cannot close in a reasonable timeframe - Make one organizational structure recommendation
Guiding Questions
- Chen is the team's only data analyst. What is the systemic risk this creates as the compliance function becomes more data-dependent? How would you recommend addressing it?
- Yemi is using an LLM summarization tool enthusiastically but without a governance framework. What is the near-term risk of this situation, and what would you recommend?
- The chapter distinguishes between compliance professionals who understand technology (sufficient) and technologists who understand regulation (different role). Where on the Cornerstone team does the greatest value come from bridging this gap?
- Amara's strength — regulatory relationships and strategic communication — is described in the chapter as a skill that remains valuable regardless of technology change. How do you communicate this honestly in your assessment without suggesting that she has no development needs?
Chapter 39 Exercises complete.