Chapter 39: Quiz — The Future of RegTech

13 questions. Select the best answer for each multiple-choice question. For short-answer questions, write 2–4 sentences. Answer key follows the questions.

Questions

Question 1

Which of the following best describes the distinction between RegTech and SupTech?

A) RegTech is used by large institutions; SupTech is used by smaller ones B) RegTech is technology used by regulated firms to meet compliance obligations; SupTech is technology used by regulators to supervise those firms C) RegTech refers to rule-based systems; SupTech refers to AI-based systems D) RegTech is a UK-specific term; SupTech is the global equivalent

Question 2

The FCA's Digital Regulatory Reporting (DRR) initiative is primarily aimed at:

A) Replacing the FCA's enforcement technology with machine learning B) Expressing regulatory reporting requirements in machine-readable form and moving toward API-based direct data collection from firms C) Creating a central database of regulated firms' customer data accessible by the FCA D) Automating the FCA's internal investigation processes

Question 3

Which of the following represents the most accurate description of the "hallucination" risk in the context of LLMs used in compliance?

A) LLMs become confused when given regulatory documents in multiple languages B) LLMs generate responses that are deliberately misleading to protect user privacy C) LLMs generate text that is confident, fluent, and factually incorrect, which in compliance contexts can result in firms acting on inaccurate regulatory information D) LLMs refuse to answer compliance questions involving confidential information

Question 4

A compliance team is considering using an LLM to draft regulatory submissions to the FCA on behalf of a client. Based on the chapter's analysis, this use case is best characterized as:

A) Safe, because LLMs can access current regulatory guidance B) Safe with controls, because the firm can verify outputs before submission C) Unsafe without expert review of every substantive claim — and one that has already produced cases where LLM-generated errors appeared in FCA submissions D) Clearly prohibited under FCA guidelines

Question 5

What is the most significant compliance implication of a regulator moving from periodic regulatory reporting to API-based direct data access?

A) It eliminates the need for compliance officers entirely B) It reduces the regulatory burden on firms by removing the need for data preparation C) It means the regulator's view is continuously current, removing the period between submissions during which data quality issues could be corrected before regulatory visibility D) It requires firms to adopt blockchain for all data storage

Question 6

The ECB's AnaCredit program is an example of:

A) The European Commission's approach to crypto-asset regulation B) A SupTech data collection program that gathers granular loan-level data from eurozone banks, enabling advanced supervisory analytics at the ECB C) An AI-powered credit scoring system for retail banking customers D) The ECB's response to MiFID II reporting requirements

Question 7

Which of the following best describes the central governance challenge of machine-executable regulation?

A) The cost of converting regulatory text into code is too high for most regulators B) Machine-executable rules require all regulators to use the same programming language C) When a regulation is expressed as code, someone must decide what the code should say — and if the coder's interpretation of an ambiguous regulation differs from the regulator's, the firm has automated its non-compliance D) Machine-executable rules cannot accommodate changes when regulations are amended

Question 8

Under what circumstances would an LLM used in compliance decisions most likely fall within the scope of the EU AI Act's high-risk AI system requirements?

A) Whenever the LLM was trained on data from EU member states B) When the LLM is used for evaluation or classification of natural persons in credit, financial risk, or similar contexts — as defined in Annex III of the EU AI Act C) When the firm using the LLM has more than 500 employees D) Only when the LLM is operated by a bank, not by other types of financial institutions

Question 9

Which of the following represents a compliance implication of Central Bank Digital Currency (CBDC) deployment that the chapter specifically identifies?

A) CBDCs will completely replace existing AML obligations B) CBDCs require all financial institutions to obtain new licenses C) CBDCs' programmability could enable compliance-by-design at the currency level, but also raises financial surveillance and privacy risks; the interaction with existing AML and sanctions obligations requires regulatory guidance not yet available in most jurisdictions D) CBDCs eliminate the need for correspondent banking relationships

Question 10

The concept of "embedded finance" creates compliance complexity primarily because:

A) Embedded financial products are not subject to any regulation B) Financial services are delivered through non-financial platforms, creating ambiguity about which entity — the licence-holder or the platform operator — bears compliance responsibility for specific obligations C) Embedded finance requires separate regulatory approval in every country where the platform operates D) Financial conduct rules do not apply to products offered outside traditional bank branches

Question 11

Which of the following skills is identified in the chapter as most likely to increase in value for compliance professionals over the next decade — rather than being automated away?

A) Manual preparation of regulatory returns B) Excel-based reconciliation of compliance data C) Regulatory judgment: the ability to interpret ambiguous regulatory language and exercise discretion in novel situations D) Generating standard compliance reports from defined data sources

Question 12

The BIS Innovation Hub is described in the chapter as:

A) A regulatory sandbox exclusively for cryptocurrency companies B) A coordination hub that develops SupTech proof-of-concept implementations across a network of central banks, and has published a SupTech inventory documenting active programs in more than 50 jurisdictions C) The primary regulator for international financial institutions D) A BIS-run programme for training compliance professionals in emerging technologies

Question 13

Short answer. Define "anti-fragility" as applied to compliance program design, and provide two specific characteristics of a compliance program that would qualify as anti-fragile under the chapter's analysis.

(Write 2–4 sentences.)

Answer Key

Question 1 — Answer: B

Explanation: RegTech and SupTech are defined by who uses the technology and for what purpose. RegTech is used by regulated firms to meet their compliance obligations. SupTech is used by regulators to oversee and supervise those firms. The distinction is institutional rather than technological — the same analytical capabilities may be deployed on both sides. Understanding this distinction is foundational to understanding the SupTech-driven changes to the supervisory landscape described in Section 2.

Question 2 — Answer: B

Explanation: The FCA's Digital Regulatory Reporting initiative has two linked objectives: (1) expressing regulatory reporting requirements in machine-readable, computer-executable form, so that firms can automate their report preparation; and (2) moving progressively toward API-based direct data collection, in which the regulator queries firm systems directly rather than receiving periodic submissions. Phase 1 piloted machine-readable reporting rules with volunteer firms. The longer-term trajectory is toward direct data access, which represents a fundamental change in the supervisory relationship.

Question 3 — Answer: C

Explanation: LLM hallucination refers to the generation of text that is confident, fluent, and syntactically correct but factually wrong. In general-purpose contexts, hallucinations are errors to be caught and corrected. In compliance contexts — where a wrong answer about a regulatory requirement can lead to non-compliance, incorrect regulatory submissions, or inaccurate advice — hallucinations are material risks. Real-world pilots described in the chapter (see also Case Study 02) have documented material error rates in LLM-generated regulatory summaries, and FCA submissions have been returned with errors traceable to LLM-generated content.

Question 4 — Answer: C

Explanation: Using an LLM to draft regulatory submissions without thorough expert review of every substantive regulatory claim is an unsafe deployment. The verification problem is that LLM outputs in compliance contexts require expert review before they influence regulatory interactions. This is not merely a theoretical concern: Case Study 02 in this chapter describes two submissions returned by the FCA with errors attributable to LLM-generated content. The LLM may be used to accelerate the drafting process, but the substantive compliance of the submission is the responsibility of the human expert who reviews and endorses it.

Question 5 — Answer: C

Explanation: The most significant implication of direct data access is the elimination of the preparation cycle between data generation and regulatory visibility. Under periodic reporting, firms have an opportunity to identify and correct data quality issues before submission. Under direct access, the regulator sees data as it exists in the firm's systems. This changes the nature of compliance from a periodic reporting exercise to a continuous state: data must be accurate and well-governed all the time, not just when a report is due. It also removes the informational asymmetry that has historically allowed firms to manage their regulatory presentation.

Question 6 — Answer: B

Explanation: AnaCredit (Analytical Credit Datasets) is an ECB data collection program that gathers granular, loan-level credit data from eurozone banks. It represents a sophisticated SupTech data collection capability, enabling the ECB to conduct portfolio-level credit risk analysis across the eurozone banking system at a level of granularity that was previously impossible. AnaCredit uses API-based data submission for many participants, making it a leading example of the SupTech direct data collection architecture described in Section 2 of the chapter.

Question 7 — Answer: C

Explanation: The central governance challenge of machine-executable regulation is the interpretation problem. Regulatory language is often deliberately ambiguous — designed to be applied flexibly by human judgment to circumstances that drafters could not fully anticipate. When a regulation is expressed as code, that ambiguity must be resolved by the person writing the code. If that person's interpretation differs from the regulator's — either initially or as interpretive guidance evolves — the firm's automated compliance is automated non-compliance. The "who decides what the rule means" problem is not solved by making the rule machine-executable; it is made more consequential.

Question 8 — Answer: B

Explanation: The EU AI Act classifies AI systems as high-risk when they are used in specific contexts defined in Annex III of the Act. Among these are AI systems used for evaluation and classification of natural persons in financial services contexts, including credit scoring and risk assessment. Compliance AI tools that make determinations about individual customers' risk profiles, creditworthiness, or suitability for financial products are plausible candidates for high-risk classification. The size of the firm using the system and the geographic origin of training data are not the determining factors; the function performed is.

Question 9 — Answer: C

Explanation: The chapter discusses CBDCs as having two analytically distinct compliance implications. The programmability of CBDC enables compliance-by-design at the currency level — embedded transaction rules, automatic reporting triggers, programmable restrictions. This is a powerful capability for regulators. However, the same programmability enables surveillance of individual transaction behavior at a level of granularity that raises privacy and civil liberties concerns. The interaction with existing AML and sanctions regimes is a practical regulatory question that most jurisdictions have not yet addressed through formal guidance.

Question 10 — Answer: B

Explanation: The compliance complexity of embedded finance arises from the separation between the entity holding the regulatory licence (typically a bank or authorised payment institution) and the entity controlling the customer relationship and user experience (the non-financial platform). The FCA has been explicit that the licence-holder cannot outsource its regulatory obligations — if a product is sold under a firm's authorisation, that firm is responsible for its compliance regardless of the distribution channel. This creates oversight obligations for banks running banking-as-a-service models that are operationally complex: the bank must ensure compliance of products and customer interactions it does not directly control.

Question 11 — Answer: C

Explanation: The chapter argues that regulatory judgment — the ability to interpret ambiguous regulatory language, exercise professional discretion in novel situations, and take accountable decisions — becomes more valuable as compliance automation expands, not less. Automation concentrates compliance professionals' work toward the hard cases that require judgment: the edge cases the algorithm was not designed for, the novel situations not covered by existing guidance, the complex determinations where accountability matters. Answer options A, B, and D describe tasks that are progressively being automated by compliance technology.

Question 12 — Answer: B

Explanation: The Bank for International Settlements Innovation Hub coordinates SupTech development across a network of central banks including the Monetary Authority of Singapore, the Swiss National Bank, the ECB, and the Hong Kong Monetary Authority. The Hub has produced proof-of-concept SupTech implementations and, through its published SupTech inventory, has documented more than 90 active SupTech tools across more than 50 jurisdictions globally. This makes it the most significant global coordination vehicle for supervisory technology development and a key source for tracking the state of SupTech deployment internationally.

Question 13 — Model Answer

Anti-fragility, as applied to compliance program design, describes a program that becomes stronger when exposed to regulatory and operational stress, rather than merely surviving or recovering from it. Unlike resilience — which implies returning to a previous state after disruption — anti-fragility implies improvement through exposure to volatility and change.

Two characteristics of an anti-fragile compliance program from the chapter's analysis:

Modular architecture: Compliance systems and processes designed as modular, loosely coupled components can be updated when specific requirements change without requiring the entire program to be rebuilt. When a regulation changes, only the affected module needs to be replaced or modified.

Data infrastructure investment: A compliance program whose data is well-governed, standardized, accessible, and consistent can adapt to new reporting requirements substantially faster than one with fragmented, inconsistent data. Institutions with strong data infrastructure are anti-fragile to new regulatory data requirements; those without are exposed.

(Other valid answers include: early regulatory engagement providing advance notice of change; vendor diversification with standardized interfaces reducing switching costs; continuous learning culture enabling faster interpretation of new requirements.)

Chapter 39 Quiz complete. 13 questions.