A group of legal researchers from the Department of Law at the University of Luxembourg is working hand in hand with computer scientists at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) to push the boundaries of Regulatory Technology (RegTech), while keeping in mind the legal framework which surrounds its use. These interdisciplinary teams operate within the FutureFinTech, sharing ideas and skills to build the technologies of tomorrow.
What is RegTech?
RegTech, which stands for Regulatory Technology, refers to the use of information technology, including AI, to increase efficiency and effectiveness in regulatory, reporting and compliance processes.
Associate Professor Stanislaw Tosza, along with postdoctoral researchers Salomé Philippe Ségolène Lannier and Olivier Voordeckers are studying how specific RegTech technologies function in a real-world context. Through three projects, ROBOCOMP, REGCHECK and ICCOFIDO, the research team analyses how RegTech can create opportunities for financial market players, but also brings light to the protection of fundamental rights in these new digital environments.
-
The ROBOCOMP project team brought together researchers from the FDEF and the SnT under the banner of FutureFinTech.
-
Prof. Stanislaw Tozsa, Associate Professor in Compliance and Law Enforcement, gave the introductory speech at the “Automating anti-money laundering compliance: technical opportunities and legal challenges” conference on 31 January 2025.
-
Dr. Salomé Lannier, Postdoctoral researcher at the FDEF, speaks about the principle of explainability in law.
-
Dr. Olivier Voordeckers, Postdoctoral Researcher at the FDEF, explored the challenges that AI poses to fundamental rights in the context of KYC compliance.
Automation and customer protection: A delicate balancing act
Banks have an increasingly heavy responsibility to ensure that their clients are not engaged in illegal activities such as money laundering or terrorism financing. To do this, they may rely on RegTech to increase efficiency in their compliance procedures. The ROBOCOMP project turns a critical eye towards the automatisation of due diligence processes and examines the legal implications of using AI tools for AML/KYC compliance. Researchers aim to analyse how information is collected under the current framework and contribute to improving the process with vetted AI technology.
This FutureFinTech research collaboration has given rise to two tools. A first tool seeks to help financial institutions ascertain companies’ beneficial owners as well as the close associates of politically exposed persons. This is important information for banks as well as a legal obligation when the customer is a corporate entity. While the beneficial owner is always listed in the regulator’s register of beneficial owners, finding close associates is a more difficult process that can be simplified through AI. The second tool combs over vast amounts of data to help financial institutions identify suspicious transactions and flag customers.
The researchers have seen that as banks move toward automatisation, they also increase their de-risking behaviours, Prof. Tosza explains. This means that banks will take decisions to decrease their exposure to potentially illegal activities, such as categorically dropping a customer who is flagged. However, when an AI system flags a customers’ transactions, it is not always apparent why. Such a tool should also be able to give its reasoning behind the action.
The legal researchers argue that a right to explainability is of utmost relevance to ensure the protection of fundamental rights of customers. The use of AI for KYC compliance requires, as per the Anti-Money Laundering Regulation, an explanation when its output denies, for instance, access to a service. This is the limit of the technology, says Dr. Lannier. Current tools work as a black box with inputs, outputs and mystery in the middle. But is not enough to ensure a fair treatment of the customer. The researchers stress that such situations are a good reason to involve legal scholars from the very beginning of RegTech projects, making sure that the technology being deployed is aligned to the legal framework and will not infringe upon the rights of citizens.
Nonetheless, we cannot ignore the many opportunities that these technologies create. The possibility to identify and fight financial crime more efficiently, more completely and at a lower cost is appealing to banks and regulators alike. However, scientists and engineers who develop and deploy RegTech must remain mindful of the operating environment and legal context, a challenge that researchers such as Prof. Tosza, Dr. Lannier and Dr. Voordeckers are well-positioned to address.
REGCHECK AND ICCOFIDO: RegTech in action
Two other projects aiming at using AI technology to automate compliance processes are underway at FutureFinTech. These projects have identified specific roadblocks to making RegTech work efficiently for professionals and seek to clear them. It is only through an interdisciplinary approach, which brings together background knowledge in regulatory framework and legal processes and pure technological know-how that powerful and practical tools can be built from the ground up, shaped not only by the constraints of computing power, but also the constraints of the real word.
The aim of the REGCHECK project is to harness AI to automate data protection compliance for companies who are marketing software, such as mobile applications, which handle personal data. Translating the legal and regulatory language of the GDPR into computer-friendly rules, the team will build a tool to scan “software artifacts” such as source code and detect whether a software product is compliant with aspects of the GDPR including consent and consent withdrawal, data retention times, data security requirements, etc.
Essentially, the researchers are bridging a gap between two worlds which operate in two different languages. On one hand, jargon-filled legal texts written in natural, and sometimes ambiguous language, and on the other hand, source code written in a programming language.
Automating compliance also extends to helping professionals tackle burdensome and time-consuming tasks. With the ICCOFIDO project, researchers from both computer science and legal backgrounds hope to address some of the complexity of compliance checks, including checking revisions of previously checked documents. The project sought to find a way to us AI to identify changes to investment fund prospectuses and then determine the subset of compliance rules affected by the document revision, to ultimately determine if the changes identified gave rise to a regulatory compliance issue.
Focusing on sustainability disclosures, the proof-of-concept tool was created to detect whether a fund prospectus which claimed that sustainability factors were taken into account when investing, also made all required disclosures at the time of the claim. The tool can help both regulators and financial institutions in different ways, says Dr. Voordeckers. Regulators can use the tool to verify the completeness of subsequent revisions of the fund prospectus, while financial institutions can perform compliance checks when publishing or updating their fund prospectuses. Overall, the tool will enable the reduction of the costs associated with compliance checking and the time-to-market of fund products, while minimising compliance risks.
Meet the team of researchers at FDEF
Photo credit: Olivier Minaire