Technology has the potential to deliver better regulation and compliance outcomes. To unlock this, regulators and firms need to converge around a consensus structure for representing both the relevant rules and firms’ internal data. In this article, Bob Wardrop, Management Practice Professor of Finance at the University of Cambridge Judge Business School and Director of the Cambridge Centre for Alternative Finance, explains why this seems to be so difficult in the highly dynamic domain of Environmental, Social and Governance (ESG) reporting.
Feeding the machine: the case for structured regulatory data
A mix of technology change, geopolitical tension and sustainability challenges suggests that the world may be entering a period of unprecedented regulatory uncertainty. This uncertainty is making compliance with regulatory obligations more complex. A growing number of organisations have concluded that there are diminishing returns from throwing more human resources at this complexity and are migrating to more machine-based compliance processes.
However, applications running on machines cannot ‘read’ the form of regulatory content that is published for human consumption by regulatory authorities. This needs to be translated into a machine-readable form using technologies like natural language processing (NLP) and machine learning (ML). This ‘translation’ consists of classification and information extraction tasks that impose structure onto the content. Structure, in this case, means applying an organising framework to content that sets out what data elements might (or must) exist within it, how they relate to one another, and how they should manifest. Structure, in short, is what makes content meaningful for the purposes of an application and its end users. And it follows from this that different use cases, or different user expectations and practices, call for different structures, even when the underlying data are the same.
Since the middle of the last decade, regulators too have joined the machine-readable movement with initiatives aimed at translating their entire rulebooks into a structured, machine-readable form — and imposing local, proprietary structures in the process. While this translation work is straightforward for obligations in relatively stable and internationalised regulatory domains like AML/KYC, it is extremely challenging in the emerging ‘turbulent’ themes like Environmental, Social and Governance (ESG) risk management and reporting, where practices are likely to vary greatly across the globe.
What characterises ESG obligations that makes this so difficult? And how can consensus structures play a critically important role in overcoming the obstacles?
The penny drops: origins of the demand for mandated structure
At the Cambridge Centre for Alternative Finance (CCAF) in the Cambridge Judge Business School, we sensed policymakers’ growing interest in ESG long before it reached its current fever-pitch state. Our ‘pulse meter’ in this regard is our Cambridge Fintech and Regulatory Innovation online programme which, since 2019, has trained more than 1,400 financial services regulators and policy makers from 130+ countries, helping to guide them in designing and managing innovation initiatives responding to market innovation. As policymakers grapple with the digital transformation of the financial industry — the winners and losers, emerging risks and coordination challenges — we’ve learned to identify opportunities to deploy our research and technologies in order to create public-goods: tools that can help policymakers to help overcome these complexities and obstacles.
A regulatory problem becomes machine-readable only by first developing a consensus structure for the relevant data
ESG issues often come up in our work, informing our thoughts on the design of regulatory reporting frameworks, organisational reforms and supervisory tools. For instance, in the Spring of 2021, an official from a G7 finance ministry reached out to the CCAF to discuss their government’s approach to regulating green finance and investment, and to explore how this could be implemented in a digital format. They posed a question that really struck a chord — ‘how can we make our proposed legislation and rules as machine processable as possible?’.
Fundamentally, addressing this question revolves around the various methods of factoring traditionally non-quantifiable metrics into both the regulator’s rulebook and the industry’s go-to tools for managing compliance — for example, including culture and conduct metrics in traditional financial sector assessments and finding a place for them in the Governance, Risk and Compliance (GRC) systems used by firms.
The official was not alone in asking this question. Developments at the time were suggesting that both regulators and industry were aligning on recognising that a regulatory problem becomes machine-readable only by first developing a consensus structure for the relevant data.
Back in spring 2021, the policy world in many countries was going through an ESG frenzy, with governments and regulators scrambling to build taxonomies of green or socially responsible exposures, write disclosure and risk management rules for ESG-linked products, and align corporate reporting with the expectations of various international standard-setters. The compliance industry had also sprung into action, on the premise that ESG was, in principle, very much suited to being read and implemented by machines. One directory1 alone lists almost 100 ESG-related compliance automation (RegTech) solutions and even that estimate is unlikely to capture the full population.
Within our research centre at the University of Cambridge, work was already underway on the Regulatory Genome Project. The RGP is an ambitious programme of work to create an open structure for representing the world’s financial regulation. In fact, the first edition of the regulatory obligation taxonomy for ESG reporting and risk management was very nearly complete.
Understanding consensus structures
This was not a bad starting point. As already discussed, machines need to be given the references with which to see what is in front of them, or a way of assigning meaning to things. That’s what structure does. The notion of a ‘consensus structure’ builds further on this concept — it is a shared framework of references within a peer group (say of firms, or policymakers, or ideally both), that can be used to ensure counterparties structure the same data in the same or in mutually reconcilable ways. A consensus structure, in other words, is one that preserves meaning across organisations and functions.
A ‘consensus structure’ is a shared framework of references within a peer group (say of firms, or policymakers, or ideally
This is perhaps a more dynamic meaning of ‘consensus’ than some readers will expect. It is not sufficient for all parties to agree that a particular representation of their data is useful or comprehensive or accurate; they must also adopt it in their operations — mapping their data and processes to it — and invest in and enforce harmonisation. It is relatively easy to observe domains where such a consensus structure is either missing or too static to make a difference. Some tell-tale signs are:
- duplication of effort, both within firms and industry-wide, as firms each produce exhaustive mappings of rules and data to their own internal information structures, oblivious to the huge overlaps between them and their peers.
- organisational silos and lack of interoperability, as different business functions and different software vendors insist on their own preferred structure, making it hard for information to flow correctly between peer groups.
- vendor lock-in, as it becomes prohibitively expensive for many potentially good vendors to compete with incumbents who have already produced mappings to their clients’ information structures, thus restricting innovation and improvement.
Why is consensus more elusive in ESG?
From the playground to policymaking to bitcoin mining, to pursue consensus is to solve collective action problems. It takes near-total alignment to realise most of the benefits, up to which point individual parties’ incentives will always be more salient and easier to realise. In the ESG space, it has often taken the full force of the law and furious backstage horse-trading, as with Europe’s ESG taxonomy, to develop consensus structures. One reason is because the stakes are high. Technical-sounding discussions about whether a given 4-digit Standard Industry Classification code is ‘Green’ or not could translate into billions in lost investment, thereby affecting some national economies more than others. A convenor that does not have a government’s power to compensate ‘losers’ is therefore at a grave disadvantage.
From the playground to policymaking to bitcoin mining, to pursue consensus is to solve collective action problems.
In more mature areas of regulation, the combination of an authoritative non-state convenor and a large economic prize can fulfil the same function. For example, the International Swaps and Derivatives Association’s (ISDA) Common Domain Model (CDM) has achieved a large measure of success in digitising the regulatory and contractual treatment of derivatives. In the case of ESG, however, the regulatory and legislative framework, the consensus structure, and even the commercial practices around ESG labelling are being built and harmonised simultaneously. Horse-trading is harder when you can’t see the horses clearly.
Regulated firms crave certainty and safety in numbers; and they are never keen to converge on standards without a good sense of the regulator’s approval...
For this reason, ESG suffers more acutely than other domains from a common regulatory problem: mutually reinforcing risk-aversion. Regulated firms crave certainty and safety in numbers; and they are never keen to converge on standards without a good sense of the regulator’s approval: why should they invest in structures that could be superseded by new rules, or even legislation? But regulators also know that they can rarely afford to promulgate, let alone maintain and enforce, standards at the level of detail that industry would find directly executable. They cannot provide their explicit or implicit seal of approval until they see how the standard performs under pressure, and unless they are assured of a sustainable governance structure. Indeed, where standards have worked in favour of compliance automation there is typically a relay between the regulator’s relatively high-level rules (and guidance) and the more practical (and flexible) guidance provided by industry subject matter experts.
Building the consensus structure for ESG
In broad terms, building a consensus structure for ESG has to date involved three work streams. First, it involved the adoption of an ontology of entities, concepts and functions. Then, the standardisation of data formats, identifiers and definitions so that all parties speak the same language and name all counterparties consistently. Finally, it involved the adoption of standard disclosures and metrics so that consumers and product distributors could make informed choices.
The latter of these three elements, the standardising of disclosures and metrics, has always been the work of regulation. But ESG is a good case study for how regulators are becoming increasingly willing to cover more of the former two elements than they have traditionally done. This is a journey that all digitally transformed regulatory domains have already embarked upon, from anti-money laundering to market infrastructure to data protection. Traditionally, regulators have been reluctant to influence or own industry standards at this operational level. In the RegTech era this needs to change, because the closer rules get to machine-executability the less open they are to interpretation. For detailed instructions to be trusted, they must either owned by regulators or delegated to industry. There is a risk that a small number of proprietary solutions from industry emerge as de-facto standards which dominate the market and stifle innovation, thereby artificially restricting the range of compliance outcomes beyond what regulators intended.
... but regulators also know that they can rarely afford to promulgate, let alone maintain and enforce, standards at the level of detail that industry would find directly executable.
There are other challenges that need to be addressed. We convened an asset management Special Interest Group meeting in late 2021, as part of the Regulatory Genome Project, and the participants highlighted three noteworthy issues.
- Firstly, key ESG issues, such as greenwashing, represent both business and reputational risks that go far beyond compliance; firms may be at risk of obsessing over the reporting elements that are most readily machine-executable to the detriment of the business itself.
- Secondly, the proliferation of ontologies and standards is challenging for firms working across borders, which must ensure that requirements are not simply tracked and complied with but are also reconciled across jurisdictions.
- Thirdly, data standardisation is crucial, but once complete it simply shifts the business and regulatory pressure on to deeper processes related to data use; such as data sourcing, quality assurance and governance.
Fundamentally, if the aim is to develop a consensus structure for relevant data, then we must overcome the problems created by having more than one type of structure being applied, and more than one interpretation of what data are relevant in the context of that structure.
Regulation-as-code and regulation-as-content
To put these challenges into context, it is useful to compare the two primary approaches for making regulation machine-readable (or even executable) in the first place.
Regulation-as-code aims to rewrite rules and the law as unambiguous statements invoking standardised data. Structure is built into the system by design. Get this right and software (sometimes referred to as ‘rules engines’) can then look up the relevant data and produce a compliant outcome — be it a decision, a report, a calculation, etc. — that is auditable end-to-end.
Regulation-as-content accepts the current legal and regulatory language, with all its flaws and ambiguities, and aims to extract from it the types of entities and obligations it is discussing, the likely business functions and processes affected, and perhaps even some standardised action points (e.g., this obligation requires the creation of a policy; or the review of a document; or the signing of an attestation). Structure is thus imposed on the system, typically through applications of AI. The outcome of regulation-as-content is not typically an action, or report, but a pre-populated draft policy, impact assessment or gap analysis.
If ESG regulations were to work well and achieve their goals one would not, in most cases, look for early evidence in changed portfolio allocations or consumer outcomes but in the governance and management of risks in the organisation.
Regulation-as-code is the default mode of attack for reporting- and disclosure-related obligations, and so too for much of the drive towards ESG regulation. To some extent, this is because the regulators and compliance teams that first began to grapple with the implications of ESG were drawn from domains in which this mindset prevails. A lack of standardisation was the most overwhelming risk driver at the time, and this introduced a bias towards a structure driven by reported data fields.
But many risks related to ESG products and disclosures, and certainly high impact ones such as greenwashing, at their heart are conduct risks — they’re about people doing and choosing the right thing (or failing to). Even operational matters, such as the over-reliance on noisy data, have deep roots in conduct — in what gets one promoted, which products are easiest to get approved, what arguments senior managers respond to favourably. More importantly, ESG rules are not aimed at the conduct of incompetent or rogue employees, but at their bosses and the tone and examples they set for the business.
If ESG regulations were to work well and achieve their goals one would not, in most cases, look for early evidence in changed portfolio allocations or consumer outcomes but in the governance and management of risks in the organisation. One would expect to see cultural change resulting from the changing tone at the top (and even observe the early “echo from the bottom”), long before any of the metrics currently tracked have moved the needle at all.
Have we got ESG regulation backwards?
Attempting to regulate (and comply) for such outcomes thus brings regulators and firms into the regulation-as-content space, where the machine can never do more than help to augment human judgment. It also forces them to lean heavily on new and imperfect metrics of behaviour, culture and how these are changing. Without a consensus structure to guide both data collection and business practice, the opportunity for duplication, and for inconsistent aims and measurements between firms, is enormous.
In such areas one would ideally build a consensus structure that is part theory of change — tracing how, realistically, ESG rules might bring about their intended outcomes and identifying which persons, functions and policies the path runs through, from the Board downwards — and then tie visible outcomes to each path. The result would be a consensus structure built ‘outwards’ from the key risks and outcomes to be avoided, and then allowed to cascade into governance structures and senior management accountability, policies and controls, product features, the calculation and management of exposures, and the like.
What should a risk-based, consensus structure for ESG look like? Regulators, firms and technologists will need to work together in coming years to answer this question.
This approach has the added advantage of applying symmetrically to all three elements of ESG. In current practice, artifacts such as exposure taxonomies have focused on ‘E’; elements of ESG regulation inserted into corporate law or codes of practice have focused on ‘G’. But an approach that works backwards from risk and how it is owned need not prioritise one element over the others.
The approach set out above is, to be clear, the exact reverse of what current ESG rules appear to emphasise. But firms are familiar with this way of working — from anti-money laundering to cyber-security, working backwards from the ownership of risks to the operation of controls is quite common, and especially so where the stakes are high. It might also be practically easier to achieve consensus in this way, without forcing industry to agree on thousands of variables at a time.
Which way now for digitising ESG compliance?
The approach advocated above will offer small comfort to policymakers who just want to make sure that popular ethical and green labels are not misused or arbitraged, and that firms cannot wiggle out of their obligations as good corporate citizens simply by renaming their exposures. There is no need for policymakers to de-prioritise these. However, when considering how to equip themselves to automate compliance, firms should think beyond the datapoint-driven approach that policymakers have taken to date, and seek solutions optimised for understanding real risk.
How will we know we’re moving closer to achieving this? Well, risk models are an instrument of governance, not compliance. Well-understood risks lend themselves to consistent measurement or at the very least ranking that decision-makers can trust. They can be priced, however approximately; and their dependencies and correlations with regulatory requirements can be discussed with some certainty. Firms that understand their risks well do not need to keep guessing whether noisy data is bad data or simply data mapped to fuzzy, poorly-defined concepts.
What should a risk-based, consensus structure for ESG look like? Regulators, firms and technologists will need to work together in coming years to answer this question comprehensively, practically, and at scale. But one thing we do know even now: compliance- or data science- or tech expertise alone will not produce the answer for them. It will also take leadership, among the regulated and the regulators — and those who ultimately own these risks must avoid the temptation to free-ride on the efforts of others to realise a consensus structure and step up.
With thanks to:
Grisha McKain is a Research Associate at the CCAF, specialising in regulation, law and policy in the fintech sector. His work focuses on facilitating knowledge exchange between regulatory bodies in countries with different economic profiles. He previously worked in legal, regulatory and research roles at different tech companies and specialised in international law at the University of Edinburgh.
Manos Schizas is Head of Content Operations at RegGenome, a Cambridge University spinout producing structured regulatory content for compliance applications. An economist by training, Manos has previously been a regulator at the UK’s Financial Conduct Authority, the Lead in Regulation and RegTech at the Cambridge Centre for Alternative Finance, and the Head of Content Operations at JWG, a London-based RegTech.