1 Introduction

The financial crisis of 2008 battered the world economy and slashed trust in the financial sector (Baxter, 2016). At that time, financial regulators responded with measures that can only be compared to those in the aftermath of the Great Depression, and their main task was to reinforce the shock-absorbing capacity of the system (IMF, 2020). To make it clear what regulators and regulated entities were now facing, the Deputy Governor of the Bank of England stated: “Our supervisors get 1 billion lines of data per month coming in from the insurance and banking industry, and our rule book is longer than War and Peace” (BIS, 2020, p.12). As a consequence, banks and financial institutions were faced with additional compliance requirements. In Europe, on average 2% to 4% of the banks’ total operating costs were spent on complying with the EU Framework (European Commission, 2019), in a landscape where bank returns on equity dropped from an average of about 10% to − 3% in 2008, and never went above 6% in the following nine years (authors’ elaborations on ECB data). The cost of non-compliance was made equally clear, with fines in the post-crisis period exceeding US$ 200 billion in US banks (Arner et al., 2017a).

Against this background, financial institutions doubled down on their work to comply with fast-changing regulations, while trying to control the rising costs. The answer to this twin problem is seen to lie with RegTech, defined as “any range of applications of technology‐enabled innovation for regulatory, compliance and reporting requirements” (EBA, 2021, p. 5) which acts as a bridge between companies and regulatory requirements. Financial markets, services and institutions had already begun to deal directly with the technology-driven innovations from FinTech and new technology, which were opening significant opportunities (Zavolokina et al., 2016). After reshaping the financial landscape, digitalisation found a new outlet in regulation, compliance and reporting (i.e. RegTech) with global investment in RegTech of US$ 10.6 billion in 2020, with an increase of 203% in one year (HKMA, 2020).

Similarly to FinTech, the benefits of RegTech lie in addressing regulatory requirements more efficiently and effectively than through existing means (FCA, 2016). These high levels of digital dynamism and its continuous evolution also fuel RegTech, spawning new business ideas and ventures, such as RegTech start-ups, which can support financial institutions in managing the new risks, compliance efforts and new regulations, and help them evolve towards automation and efficiency. Nevertheless, the progress in digital innovation brings new risks, including those linked to cybersecurity (Buckley et al., 2020), whilst also introducing new unexplored areas, such as Decentralised Finance (Grassi et al., 2022). The current supervisory mechanisms have come under scrutiny, and their suitability is being questioned, as is the stability of the financial system and its exposure to risk (BIS, 2021). On their side, the regulators introduced new approaches and initiatives, which, alongside governing the risks, were also designed to nurture innovation and competition, as in the case of regulatory sandboxes and innovation hubs (FCA, 2016; Kurum, 2020), setting off a discussion about the possibility of authorities and supervisory bodies also adopting RegTech solutions.

While published works have increased in recent years, the literature on RegTech is fragmented, and there is no clear picture of the open research streams.

The purpose of this work is to provide a comprehensive and multi-dimensional framework that can be deployed to organise and present the main body of knowledge and, by connecting and comparing the existing literature, shed light into the less scrutinised corners of RegTech. Following Gurzki and Woisetschläger (2017), we combined a bibliometric analysis with a systematic review to answer our research questions into the world of RegTech, its influential papers and authors, its main areas of research, its past and its future. The overall results can support authorities and financial institutions in gaining a better understanding of RegTech, its applications and adoption, its potential and its risks.

The rest of this work is organised as follows: the next section provides the background for this research, Sects. 3 and 4 describe the methodology and present the main results, with a discussion of our findings in Sects. 5 and 6. The last section contains the conclusion, highlighting the implications and suggesting further avenues for research.

2 The emergence of RegTech

The advance of RegTech is the natural consequence of two main factors: the new regulatory environment following the 2008 financial crisis (Arner et al., 2017a) and the process of digitalisation sweeping through the financial landscape, known also as FinTech.

Shocks in global banking played a central role in the 2008 crisis (Kalemli-Ozcan et al., 2013), more or less killing trust in the financial sector, raising popular anger about the damage to the economy and to people’s individual welfare (Baxter, 2016). Weak regulation was seen as the culprit for the financial crisis (Admati & Hellwig, 2014) and, in response, the financial regulators introduced a new and stricter body of regulation (Moshirian, 2011; Nguyen, 2016), e.g. Basel III, an internationally agreed set of measures developed by the Basel Committee on Banking Supervision. These post-crisis regulations were mainly to strengthen the shock-absorbing capacity of the system, and so improve the timeliness, quantity and quality of the resources to support financial stability (IMF, 2020). At the same time, cracks started to appear, with side effects in the number of requirements introduced by these legislations, the limited extent to which compliance could be automated, the timing of the legislative changes, the short transition periods for businesses to comply with some of the legislation and the inconsistency or lack of clarity in the requirements introduced (European Commission, 2019).

Digitalisation and technology-driven innovation had already proven beneficial to FinTech business models, services and processes, and as a way to react to risks (Buckley et al., 2020). With RegTech, it found a new opening, where financial institutions could meet their compliance obligations at a lower cost, with greater effectiveness and less tortuous compliance matters for regulated entities (Quill & Lennon, 2019).

RegTech requires and emerges as a consequence of huge volumes of additional data disclosed by supervised entities, the developments in data science enabling the structuring of unstructured data, the need for regulated entities to minimise increasing compliance costs and the regulators’ efforts to improve the efficiency of their supervisory functions. Its ultimate purpose is to provide better competition, financial stability and market integrity (Arner et al., 2017a).

Regulated entities are not the only parties interested in RegTech. For the authorities, its importance is twofold, in that it is both an innovative solution affecting the regulated entities they supervise, and also something that they themselves can adopt. RegTech enables regulators to conduct their regulatory, supervisory and monitoring tasks better (FCA, 2016; FSB, 2017), leveraging on data to analyse matters relating to financial institutions in real time, such as their insolvency, liquidity, and other risk factors (Yang & Li, 2018). The authorities were clearly interested in some of its possible applications, for instance, in how natural language processing (NLP) tools could be used to manage market volatility or financial stress, in AI to study the redistributive effects of fiscal policy (FSB, 2017), or in its potential to monitor the entire population of regulated entities, rather than just a sample, improving their functions overall (Micheler & Whaley, 2020). As the relevance of those solutions grew, a new term, SupTech, was soon coined to indicate the RegTech applications used by supervisory agencies, while RegTech remained associated with applications used by regulated entities. (EBA, 2018). As RegTech, SupTech is not all about positives, it does have its risks. For instance, real-time SupTech-enabled supervision create a situation whereby regulated entities try to impress the regulator in real-time and so overlook longer-term risks (Micheler & Whaley, 2020).

The academics studying RegTech (and SupTech) have applied different lenses on a case-by-case basis. Baxter (2016) studied the increasing complexity faced by regulators in supervising modern financial institutions, suggesting that the regulators should develop their own sophisticated methods of automated supervision, introducing a clear role for RegTech solutions. Currie et al. (2018), instead, concentrated more on how financial institutions are adopting RegTech solutions to meet their compliance obligations, finding that dialectic tensions could arise because the pursuit of “transparency, surveillance and accountability in compliance mandates is simultaneously rationalised, facilitated and obscured by regulatory technology” (Currie et al., 2018, p. 1). Arner et al. (2017a) took a wider stance, trying to merge both the regulators’ and the regulates’ points of view. They described the evolution of RegTech, looking at how financial institutions and the financial industry use technology to meet regulatory requirements, and how RegTech is used by regulators, concluding with an overview of the new challenges of FinTech and how these can be met through RegTech. In other contributions focused primarily on the possible definitions of RegTech, scholars have analysed its relationship with FinTech or evaluated its impact on regulators and banks (Anagnostopoulos, 2018; Sangwan et al., 2019; Soloviev, 2018). Other works concentrated on specific RegTech solutions or on its more vertical applications, studying specific technologies or specific applications. Kavassalis et al. (2018) proposed a blockchain-based solution that could potentially transform the way risk is monitored in the financial system, exploiting the fact that financial instruments now store data at a granular level. Seppala et al. (2017) presented a visualisation technique for company legal departments to introduce standard interpretations of regulatory requirements in legal texts. Quill and Lennon (2019) proposed a preliminary solution for automating the generation of compliance documentation.

As each author applies a different lens and analyses different aspects, to the best of our knowledge, there is no single overarching understanding of RegTech, which often entails misunderstandings and a blurring of the possible benefits and risks. The purpose of this work is to provide a comprehensive multi-dimensional framework for organising and presenting the current body of knowledge, to cross-reference the existing literature and shine a light onto the least investigated aspects of RegTech. This objective can be broken down, as per Gurzki and Woisetschläger (2017), with a bibliometric analysis and a systematic review in combination enabling us to answer the following research questions:

  1. 1.

    What are the most relevant publications in the RegTech field?

  2. 2.

    Which authors are the most influential?

  3. 3.

    What are the dominant research clusters in the field of RegTech?

  4. 4.

    How has the research landscape evolved over time? What are the currently evolving topics and the promising areas for future contributions?

3 Methodology

Given the presence of different contributions, we started out with a systematic review (Tranfield et al., 2003) to explore all the dimensions of the existing literature (Pittaway et al., 2004), applying scientific rigour along the different phases of data collection and data analysis in our results (Crossan & Apaydin, 2010).

3.1 Data collection

Keywords and eligibility. “RegTech” and “SupTech” were identified as the natural keywords, but we also included “technolog*Footnote 1” plus “financ* regulat* or supervis*”, given that the terms “RegTech” (Regulatory Technology; Arner et al., 2017a) and “SupTech” (“Supervisory Technology”; Loiacono & Rulli, 2021) are themselves the contraction of two other terms. We consequently organised our keywords into strings (Fig. 1) for searching purposes. Consistently with recent systematic literature review studies, we searched through the Scopus database (as in, for example, Alam et al., 2020), to find papers written in English in the fields of “Economics, Econometrics and Finance” and “Business, Management and Accounting”, and we restricted our search to post 2009 contributions, given that RegTech had emerged as a consequence of the 2008 financial crisis. We extrapolated 1,952 items overall.

Fig. 1
figure 1

Systematic literature review—eligibility criteria

Consistency selection. To select meaningful results, we processed the Title and Abstract of each contribution following the principle of minimising the probability of false negatives. We excluded all unrelated works (Fig. 2), mainly papers concerned with other sectors (557), papers where “technology” and “regulation” were simply mentioned in the abstract or title without there being a relationship between the two, either in financial sector studies (380) or in those covering generic sectors (444), as well as papers on the regulation of technology (139) and on regulation in the financial sector in general (78). By reading the Introduction and Conclusions of the remaining 141 papers, this time following the principle of minimising false positives (Fig. 2 sets out the exclusion criteria), we obtained a final group of 74 items (see Appendix A for the full list).

Fig. 2
figure 2

Funnel summarising selection phases

3.2 Data analysis

As mentioned, we carried out a bibliometric analysis and a content analysis to uncover the emerging trends and explore the intellectual structure and content of extant literature on RegTech.

3.2.1 Bibliometric analysis

Bibliometric analysis, where quantitative techniques and new bibliometric software are applied to bibliometric data, is becoming more popular in business research (Donthu, 2021; Khan et al., 2021), including in FinTech research (Nasir et al., 2021; Peláez-Repiso et al., 2021). In this paper, we used the VOSviewer software, consistently with previous literature (Donthu et al., 2020; Merediz-Solà & Bariviera, 2019; Nath & Chowdhury, 2021).

A bibliometric analysis involves two techniques, “Performance analysis” and “Science mapping” (Donthu et al., 2021). Performance analysis is where the performance of individuals and institutions is measured in terms of their research and publications, while Science mapping involves measuring the intellectual interactions and dynamics between the elements in the research (Zupic & Cater, 2015). Given that a single indicator of performance cannot measure research quality in a univocal way (Bollen et al., 2009), a number of performance indicators have now been developed (Hall, 2011). A wide range of methods are used in bibliometric studies (Merigo et al., 2015); the most commonly adopted are publication-related metrics (total publications, number of contributing authors, sole-authored contributions, co-authored contributions, number of active years of publication and productivity per active year), citation-related metrics (total citations, average citations) and citation-and-publication-related metrics (number of cited publications, proportion of cited publications).

In Science mapping, the most frequently employed techniques are citation analysis, co-authorship analysis, bibliographic coupling and co-word analysis (Donthu et al., 2021). Citation analysis is based on the assumption that the citations reflect the intellectual linkages between publications, meaning that two publications are intellectually connected when one publication cites the other (Appio et al., 2014) (where a publication is all the more influential the more citations it receives). Co-authorship analysis is based on the interactions among scholars in a specific research field, as co-authorship is a formal way of intellectual collaboration among scholars (Acedo et al., 2006). Bibliographic coupling is based on the reasoning that if two publications share common references, their content is also similar, and can be used to divide publications into thematic clusters based on shared references. Lastly, co-word analysis examines the content of the publication, to identify and connect meaningful concepts.

3.2.2 Content analysis

Considering the fragmented situation with regards to previous contributions, we used an inductive approach and a qualitative content analysis, a widespread method (Elo & Kyngäs, 2008) for describing phenomena systematically and objectively (Downe-Wamboldt, 1992; Sandelowski, 1995), used to extract “replicable and valid inferences from data to their context, with the purpose of providing knowledge, new insights, a representation of facts and a practical guide to action” (Elo & Kyngäs, 2008, p. 108).

We started by analysing data line-by-line level, inducing “in vivo” codes (Glaser & Strauss, 1967), i.e. codes are the wording used in data source, here related to the concept of RegTech. Hence, by applying an iterative process, bringing in all the authors to reduce personal bias, we analysed the various “in-vivo” codes, grouping them into constructed codes and arranging them in a four-level conceptual tree, with codes as leaves and an increasing level of abstraction.

4 Results

Table 1 shows the results of the performance analysis on the overall group of 178 authors, yielding 74 publications, with an average of 2.4 authors per publication, with 17 sole-authored and 57 co-authored works. Considering the 14 years of active publication from 2009, productivity was 5.3 papers per active year. However, scientific production through time is far from being constant (Fig. 3). The number of papers started to escalate only in 2015, with the papers published in 2021 being nearly four times those published in 2015 (Fig. 3).

Table 1 Performance analysis
Fig. 3
figure 3

Cumulative distribution of contributions over time

If we take the universities connected to the authors and look at where these universities are located (Table 2), the United Kingdom and the United States top the list for both publications and citations. The papers cited most in absolute terms are those authored (or co-authored) by US academics (and they are the second most cited on average, with 26.5 citations per document, just behind Hong Kong (given that Prof. Arner is affiliated to the University of Hong Kong)).

Table 2 Performance analysis per country

This academic corpus was cited 1,002 times (Table 1), about 13 times per paper, with works attracting up to 93 citations (Table 3), although 21 papers are yet to be cited (28%), all of them published after 2020. We conducted a citation analysis to identify the most relevant intellectual linkages and the most influential publications and authors. The most influential publications were found to be Arner et al. (2017a), Anagnostopoulos (2018) and Milian et al. (2019), not just because of the high number of citations (see Table 3), but also because of their many interconnections with other research papers (see Fig. 4).

Table 3 Top10 publications in terms of citations.
Fig. 4
figure 4

Document citation analysis

Our analysis of most influential authors produced coherent results, with Arner, Buckley, Barberis and Anagnostopoulos being the most cited (Table 4) and influent authors (Fig. 5).

Table 4 Most cited authors
Fig. 5
figure 5

Author citation analysis

By analysing collaborations among authors, it emerged that most are single-paper co-authorships. The quartet of Arner, Barberis, Buckley and Zetzche is one of the few exceptions, having worked, in various combinations, on papers cited a good 168 times.

Considering the novelty of the topic, bibliographic coupling is ideal for identifying a broad spectrum of themes and the latest developments (Donthu et al., 2021). Figure 6a shows an interconnected network of works relying on common themes (highlighted in Fig. 6b), surrounded by other more or less standalone publications. The analysis suggests that the interconnected network consists of three main and four minor clusters. The first main literature stream contains papers that focus specifically on the RegTech phenomenon, and include Anagnostopoulos (2018), Kavassalis et al. (2018) and Arner et al. (2019). The second stream mostly contains papers on FinTech more broadly, with RegTech being thus seen as a subset, and includes literature reviews such as Milian et al. (2019) and Sangwan et al. (2019). The third literature stream contains contributions such as Blankespoor et al. (2014), O’Riain et al. (2012) and Baldwin and Trinkle (2011), and it focuses very specifically on XBRL (eXtensible Business Reporting Language).

Fig. 6
figure 6

a Bibliographic coupling results, b Bibliographic coupling results – focus on interconnected networks of common themes

Our content analysis brought up different concepts. Among the codes emerging more frequently from our analysis (Fig. 7), we found that RegTech was associated mainly with Technology (68% as a general topic, plus more specifically with Artificial Intelligence (27%), Big Data (23%) and Blockchain(s) (16%)), followed by concepts connected to Data (67% as a general topic, with specific codes such as Data Analysis (33%), Data Access and Collection (24%) and Data Quality (13%)).

Fig. 7
figure 7

Most frequent codes in the analysed contributions

The next most common codes belong to the regulatory sphere, i.e. Regulation (56%), Reporting (51%) and Compliance (45%). We found a mix of Regulation and Technology in 45% of contributions, and a mix of Compliance and Technology in 35%. “Efficiency” (41%), “Effectiveness” (29%) and “Efficiency” & “Effectiveness” (25%) emerged as clear RegTech objectives and advantages, potentially because, as per the FCA definition (2016), “RegTech is a sub-set of FinTech that focuses on technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities”.

From the co-word analysis (Fig. 8), it is plain that the very common codes play a central role in academic discussion, and are connected to specific debate on a case-by-case basis.

Fig. 8
figure 8

Co-word analysis results

5 The RegTech framework

From the analysis of the contributions, four main dimensions are currently being debated in academia, namely (1) aspects defining regulation and technology, (2) the role of data, (3) stakeholders and applications and (4) benefits and risks. These dimensions will be the building blocks for our comprehensive multi-dimensional framework.

5.1 Dimension #1: Regulation and Technology

A core block of contributions focuses on what RegTech is, essentially the merging of regulation and technology. RegTech solutions drive digitalisation and digital innovation, affecting vast swaths of organisations, entities and authorities, providing the means to improve areas such as digital reporting, and potentially upturning pre-existing structures and re-shaping regulatory processes and systems (Aksoy et al., 2021; Arner et al., 2020; Kavassalis et al., 2018; Kurum, 2020). These automated, digital and non-invasive solutions (Chiu & Deipenbrock, 2021; FCA, 2016; Quill & Lennon, 2019) provide users with a seamless experience, can be adapted dynamically and expediently, and enable real-time operations, yet remain scalable (Kavassalis et al., 2018; Laguna de Paz, 2022; Michaels & Homer, 2018; Quill & Lennon, 2019; Sangwan et al., 2019).

Is RegTech a sub-set of FinTech? Apart from the ontological debate, for some authors it is (e.g. Caciatori Junior & Cherobim, 2020; Iman, 2020; Muganyi et al., 2022; Paul & Sadath, 2021) while, for others, there should be some kind of glass barrier between the two. RegTech and FinTech are underpinned by different underlying causes, different development paths. FinTech was established bottom-up as a grassroots movement led by start-ups and tech firms, whereas RegTech was in response to top-down institutional demand, and, additionally, RegTech has a potential pivotal role in a new regulation paradigm and possible applications also in non-financial sectors (Arner et al., 2017a).

Regulation: RegTech solutions deal with several different regulations, in a broad sense also privacy issues (e.g. GDPR, Ryan et al., 2021), at both national and international levels. A solution could focus on a single regulation (e.g. the Know Your Customer (KYC) directives, Buckley et al., 2020) or on multiple regulations simultaneously (such as the Markets in Financial Instruments Directive (MiFID II) and the Alternative Investment Fund Managers Directive (AIFMD), Buckley et al. (2020)). However, not all RegTech solutions address regulations specifically, an example being certain RegTech solutions for internal reporting (Arner et al., 2020).

Technology: RegTech solutions involve a wide set of technologies, such as big data, artificial intelligence, machine learning, deep learning, DLT, Blockchain and smart contracts, APIs (relevant in encouraging integration and interoperability between systems), biometrics, Internet of Things and cloud computing (Arner et al., 2017a; Battanta et al., 2020; Becker et al., 2020; Chao et al., 2022; Dashottar & Srivastava, 2021; Du & Wei, 2020; Goul, 2019; Legowo et al., 2021; Mogaji & Nguyen, 2021; Naheem, 2019; Omarova, 2020; Priem, 2022; Rahman et al., 2021; Singh & Lin, 2020; Singh et al., 2022; Yang et al., 2021), all enabled by suitable algorithms (Baxter, 2016).

Several real implementations are possible; for instance, in keeping with the increasing use of big data for macroeconomic and financial stability goals, the US Securities and Exchange Commission (SEC) leveraged on big data when developing text analytics and machine learning algorithms to detect fraud and misconduct (Michaels & Homer, 2018) and identify misleading marketing in certain sub-sectors, such as unlicensed accountants providing financial advice (ASIC case, FSB, 2017). Artificial intelligence backs up policy assessments made by central banks and the automating of compliance processes (FINRA, 2018; FSB, 2017), albeit with the proviso of machine-readable regulations. AI is also at the basis for the supervision and/or assessment of sentiment in comments on social media about the insurance sector (EIOPA, 2020), achieved using natural language processing tools. Furthermore, modelling/visualisation technology could enable “the simulation of actions and interactions to assess their effects on the system as a whole” (FCA, 2016, p. 8). Baxter (2016) presents blockchain and distributed ledger technology are a well-known example of productivity-enhancing automation in the regulatory field, by automating processes of authentication and verification in tasks that regulators have traditionally conducted and monitored manually. Other technologies playing an important role in RegTech are biometrics for KYC purposes and quantum computing (EBA, 2021; Kurum, 2020).

5.2 Dimension #2: The Role of Data

Data play a central role in RegTech solutions, enabling and empowering entities to apply RegTech competently, essentially seeding their implementation. Data-centricity will introduce new or shift current paradigms, moving, for example, from a KYC (Know Your Customer) to a KYD (Know Your Data) approach (Arner et al., 2017a). The data ecosystem emerges as a key aspect (O’Riain et al., 2012), where data are shared “among regulators, industry associations, and investors, which is the basis for integrated technology-driven regulation” (Yang & Li, 2018, p. 3263).

Data can be structured (such as trade orders and cancelled orders, market data, customer portfolio) or unstructured (such as emails, voice recordings, social media profiles or other kinds of communications), qualitative or quantitative, and granular or aggregated (EIOPA, 2020; FINRA, 2018; Yang & Li, 2018). In a similar way, the mix of data can also vary in terms of sources, which include regulatory databases, internal communications, blogs and social media, surveillance videos and satellite positioning (Currie et al., 2018; Das et al., 2019; Michaels & Homer, 2018; Yang & Li, 2018). As, with the help of RegTech, the data collection process could be automated (Yang & Li, 2018), regulators could also decide whether to pull data directly from the banks’ systems and to combine these data with data obtained directly from customers (Bank of England, 2019; FINRA, 2018). As an example, “using […] data, perhaps collected automatically from mobile phones (geo-location and transaction data, for example), regulators could identify issues and providers that warrant increased scrutiny” (Michaels & Homer, 2018, p. 340).

If different types of data can be collected (also automatically) from different sources, high-quality data and their “integrity and control is of paramount importance for many RegTech tools” (FINRA, 2018, p. 9; Yang & Li, 2018). Therefore, some RegTech solutions focus on improvement in data quality and on data aggregation, big data processing and interpretation, and on modelling analyses and forecasting (Arner et al., 2017a; Yang & Li, 2018).

Once collected, data must be properly managed. RegTech can “support the technical handling of large amounts of data” (Buckley et al., 2020, p. 3) and its storage (Kavassalis et al., 2018), handling matters of control, data protection and quality (Omarova, 2020). RegTech solutions can then concentrate on data analysis, automating this phase (Arner et al., 2017a), processing big data (Yang & Li, 2018) and mining data (Currie et al., 2018) to achieve data-driven outcomes (Anagnostopoulos, 2018).

5.3 Dimension #3: Grounding RegTech: Stakeholders and Applications

RegTech has strong implications for a wide set of actors, along with the whole system. In the next few paragraphs we will discuss the main stakeholders in RegTech, and the main RegTech applications identified for each.

The financial sector is the natural candidate for RegTech, as it is a heavily regulated industry. RegTech is well-suited to sub-sectors ranging from banking and the payments and securities market to lending, trading and insurance (Alrabiah, 2018; Arner et al., 2017a; Bonson et al., 2010; Buckley et al., 2020; EIOPA, 2020). The array of RegTech-backed solutions underlines its potential for intermediaries, regulated entities (Buckley et al., 2020; Micheler & Whaley, 2020) and the many firms that, in general, must provide regulatory data (FCA, 2016), given the broad spectrum of regulations that fall within the scope of RegTech.

Unregulated entities also come into the equation. Tech companies, consultancy firms, start-ups and service providers can identify opportunities from RegTech development (Goul, 2019; Yang & Li, 2018). RegTech can monitor data files, emails and voice communications produced by their employees (Micheler & Whaley, 2020) and take care that information sent out into the wider world is complete and accurate, clamping down on it being otherwise used by senior managers to “obfuscate, mislead, distort, or confuse regulators and investors” (Currie et al., 2018, p. 306). Industry associations and investors can share data with regulators to create the basis for integrated technology-driven regulation (Yang & Li, 2018), while non-profit organisations and donors have lent a hand in developing tools and techniques to improve market supervision and policy analysis (Gurung & Perlman, 2018).

RegTech can provide support to firms in five functions: compliance, monitoring, risk management, reporting and operations.

In compliance, RegTech can ensure a company’s readiness for new regulations (Currie & Seddon, 2021), as well as assisting with regulatory intelligence, by providing “a catalogue of regulatory requirements in a user-friendly manner” (FINRA, 2018, p. 5). The emerging areas for RegTech are Know Your Customer (KYC), anti-money laundering (AML), counter terrorist financing and customer due diligence (Arner et al., 2017a, 2017b; Buckley et al., 2020; Lokanan, 2019), where RegTech is providing new ways to verify identity using biometrics, to profile customers and even to detect insider trading (Arner et al., 2017a; Buckley et al., 2020; FINRA, 2018).

In monitoring, RegTech can help users control potentially risky situations and set warnings and alerts (FINRA, 2018). Among the monitored variables are written and spoken internal communications, and any suspicious activity or behaviour on the part of employees (Arner et al., 2017a; Das et al., 2019; Micheler & Whaley, 2020; Micheler & Whaley, 2020).

In risk management, RegTech can help companies identify and analyse different risks (Butler & Brooks, 2018; Feng & Qu, 2021; Mishchenko et al., 2021), from compliance to cybersecurity and operational risk (Becker et al., 2020; Kavassalis et al., 2018; Quill & Lennon, 2019). RegTech “may be deployed to gather and analyse information on capital and liquidity for use in internal models” (FINRA, 2018, p. 5) or “offer synthesised visualisation of complex analytics and intuitive tools for end users to extrapolate different scenarios” (FINRA, 2018, p. 7).

In reporting, both internally and to external supervisory bodies (Buckley et al., 2020), RegTech is enrooted in risk management applications e.g. capital ratio requirements, auditing and disclosure (Arner et al., 2017a; Meredith et al., 2020; Yang & Li, 2018).

Lastly, in operations, RegTech can help in day-to-day business and processes, for instance in customer and employee onboarding processes, as the people involved can easily be made aware of guidelines and standards to follow (Quill & Lennon, 2019).

Regulators, supervisory bodies, central banks, policymakers, governments and public entities (the “authorities”) are clearly all interested parties, as the new technologies enable them to respond to the digitisation shakedown sweeping across regulated entities (Yang & Li, 2018). Authorities can leverage on RegTech solutions (which, as mentioned previously, when applied by regulators are usually referred to as SupTech) when setting policies, and in their authorising, supervising and enforcement operations (FCA, 2017; Zeranski & Sancak, 2021), for instance by automatising and streamlining administrative and operational procedures (EIOPA, 2020).

RegTech/SupTech can be used in the monitoring and controlling of macro and micro variables (FSB, 2017), in identifying and preventing fraud and suspicious activity, in risk analyses and market manipulation (Arner et al., 2017a; Chen et al., 2021; Micheler & Whaley, 2020). When such illegal activities occur, RegTech may even suggest sanctions or issue fines automatically, collecting and using data to monitor and safeguard the financial system and the conduct of market participants (Bank of England, 2019; FINRA, 2018; Micheler & Whaley, 2020). Sustainability and ethics are affected as well, where the bridging role of RegTech is to “enhance surveillance of financial activities and encourage better ethical practices” (Currie et al., 2018, p. 307).

Moreover, the authorities can control not only the behaviour of regulated entities, but their state of health as well, monitoring “insolvency, ability, liquidity, and other risk factors in real time” with the benefit of enhancing “market stability and competitiveness” (Yang & Li, 2018, p. 3262) and “NLP tools may help authorities to detect, measure, predict, and anticipate, among other things, market volatility, liquidity risks, financial stress, housing prices, and unemployment” (FSB, 2017, p. 21). A concrete example comes from the Bank of Italy, which turned to artificial intelligence to study the redistributive effects of its fiscal policy over different municipalities (FSB, 2017).

Furthermore, by using RegTech solutions, authorities will be better placed to understand innovative products and complex transactions (Arner et al., 2017a), and be ahead of the game in concerns over monetary policies (FSB, 2017). In general, RegTech could enable “regulators to keep up with the very rapid evolution of markets and their underlying technological development” (Baxter, 2016, p. 572), facilitating for instance the delivery of regulatory requirements (Anagnostopoulos, 2018).

5.4 Dimension #4: Benefits and Risks

A fourth body of literature covers the benefits that RegTech promises to bring to regulated entities, regulators and to the whole system, along with the risks.

Benefits of RegTech: Since FCA (2016), higher efficiency and effectiveness are among the most cited benefits arising from RegTech (Chao et al., 2022; Yang et al., 2018). RegTech may increase accuracy, transparency and manageability, while driving down costs, saving time and cutting out repetitive tasks (Baxter, 2016; FINRA, 2018; Ilias et al., 2019; Micheler & Whaley, 2020; Muzammil & Vihari, 2020). Indeed, resources can be concentrated where it matters: for instance, the Monetary Authority of Singapore is “exploring the use of AI and ML in the analysis of suspicious transactions to identify those transactions that warrant further attention, allowing supervisory bodies to focus their resources on higher risk transactions” (FSB, 2017, p. 23). Similarly, AI and ML can bring about a drop in errors, false alerts and risks, infusing technology into human interpretation (Brand, 2020; Currie et al., 2018; FINRA, 2018). RegTech can improve internal governance and coordination, in general backing measures to ensure that standards are adopted and laws applied comprehensively, and so protecting both corporation and staff (Currie et al., 2018; Quill & Lennon, 2019). RegTech improves the analytical capabilities in an organisation, leads to better cost-benefits analyses, consequently improving the decision-making process (Choi et al., 2021; Enriques, 2017; Michaels & Homer, 2018). While providing a higher degree of flexibility, RegTech is thought to increase robustness as well, for instance in the verification of identity (Buckley et al., 2020; von Solms, 2021).

Concentrating on the benefits for regulated entities, we found that that compliance processes were less of a chore overall, with a shrinking regulatory burden and regulatory complexity (Bank of England, 2019; Currie et al., 2018), resulting in a better interpretation of regulations, better understanding of the implications and lower risk of non-compliance (ESMA, 2017; FCA, 2017; FINRA, 2018). RegTech promises fast and real-time-enabled operations (examples are “real-time risk analysis tools to help institutions spot fraud more quickly” (Michaels & Homer, 2018, p. 340)) and RegTech solutions make “compliance easier for regulated entities” by supplying regulators with “more accurate and real time information” (Micheler & Whaley, 2020, p. 8).

RegTech can also be an agent for competitive advantage, laying on benefits for consumers and enhancing their experience, protection and knowledge across the board (Lee, 2020; Michaels & Homer, 2018; Muzammil & Vihari, 2020). In this setting, data obtained directly from customers are combined with data from external sources, and then these data are processed using sophisticated data analytics (Buckley et al., 2020).

Concentrating on the benefits for the whole system, RegTech is expected to contribute to economic growth, stability and competitiveness (Arner et al., 2019; Buckley et al., 2020; Yang & Li, 2018), reducing information asymmetry and enabling better regulation (Barberis & Arner, 2016; Currie et al., 2018). All these factors can fall into place because of these integrated, potentially standardised and interoperable solutions (Alrabiah, 2018; FCA, 2016). Being close to the real-time action, and at least partially automating the responses, can turn into a competitive advantage for the entire system. End consumers reap the benefits of higher competition shaped by RegTech (FCA, 2017) on top of greater financial inclusion (Arner et al., 2019; Chen & Yuan, 2021), and they are more protected (Arner et al., 2017a), facing, for instance, fewer financial crimes (Kurum, 2020). As a last point, markets, with the backing of RegTech, may become more worthy of trust, more open and safer (FINRA, 2018; Goul, 2019; Michaels & Homer, 2018).

Risks of RegTech: Technology, innovation, data and modelling bring undeniable risks onto the agenda. Operational risk, cyber risk, privacy of data “particularly where customer data is shared with a third-party vendor”, algorithmic biases, the risk of relying on low quality data and on models being transparent (Deshpande, 2020; Buckley et al., 2020; FINRA, 2018, p. 9; Gurung & Perlman, 2018; Currie et al., 2018), as they may turn into black boxes, are all a challenge to anyone’s spirit of innovation.

RegTech adoption is also a matter of economic resources, and risks may emerge consequently, as a high initial investment cost (Packin, 2018) may create layers of adopters, limiting RegTech’s introduction to big corporations and, in some cases, potentially excluding regulators dealing with political issues from getting further approval for their budgets. Outsourcing could be a possible solution for smaller firms, but it would not free from risk, as “without proper oversight and governance arrangements in place, [outsourcing] may lead to difficulties with accessing customer data owing to RegTech providers’ potentially short lifespan and with establishing the ownership of that data” (EBA, 2019, p. 13). Participants unable to adopt new solutions could find themselves “with platforms ill-suited for the current regulatory framework” (ESMA, 2017, p. 6). Moreover, corporations with mastery in data analyses, so far, the unmistakable beneficiaries in this area, could enter the market, leading to an oligopoly dominating data and regulation (Micheler & Whaley, 2020).

The way human resources and technology will coexist may pose additional challenges. A company’s over‐reliance on information technology solutions could “lead to a loss of human professional expertise and judgement in monitoring processes” (EBA, 2019, p. 13), the firms themselves may have a poor understanding of new technologies (EBA, 2019) and, even if skilled people are brought in, communication problems may arise between the experts in law, computer science and technology and “neither group is well placed to anticipate problems that may arise when the two are combined” (Buckley et al., 2020, p. 11). Dehumanisation or lack of skills (Chiu & Deipenbrock, 2021) can stifle most of the efforts made by the various actors.

Public authorities and the regulators themselves may face consequences if they are not able to regulate RegTech properly. The EBA (2019, p. 13) noted “a lack of provisions in the current legal framework dealing with RegTech solutions, which means that different standards are applied by different solutions”.

There is, furthermore, the risk that RegTech solutions may not only not work properly, but actually worsen the problems they are meant to solve. First of all, some tasks can be only automated if the regulations are machine-readable, although it is not clear how easy this is or how to build new regulatory software tools onto existing IT systems (Micheler & Whaley, 2020). Furthermore, as reported by EBA (2018, p. 28) “there is a risk that these RegTech solutions could potentially weaken ML/TF safeguards, if applied unthinkingly”. Systemic risk could increase (Micheler & Whaley, 2020, p. 25), as more granular regulation could lead to inflexibility, technical rather than functional compliance”. Additionally, old risk could be replaced by new: “antitrust risks and the risks for markets resulting from extremely swift transmission of information will increase and require further investigation” (Buckley et al., 2020, p. 8) as RegTech could pose a “unique risk such as resiliency and confidentiality” (FED, 2019, p. 6). In general, risks could mount if over-reliance on RegTech solutions lulls regulator and regulated entities into a false sense of security (Micheler & Whaley, 2020) or if the system focuses too much on short-term risks, neglecting those that are long-term. Buckley et al., (2020, p. 18) explained that “when the regulator receives real-time transactional information its systems can respond in real-time. There is a risk that this encourages regulated entities to orient themselves towards impressing the regulator in real-time. They could become too focused on real-time reporting, orient their business model accordingly and inadvertently overlook longer-term risks”.

RegTech could drive up the risks even further if certain market participants apply it in a malicious way (anti-RegTech, as referred to by Packin, 2018), since “malicious agents may learn to frustrate the tools by adapting their behaviour […] learning what types of behaviours are likely to cause a flag […]. Using such information, firms might be able to structure their regulatory returns in such a way as to remain undetected” (ESMA, 2019, p. 46).

The results emerging from this review were summarised in a comprehensive multi-dimensional RegTech framework, in which the many dimensions are combined and integrated (Fig. 9).

Fig. 9
figure 9

Multi-dimensional RegTech framework

In the first dimension (Dimension #1), the genesis of RegTech is explained as the merging of regulation and technology. In the second dimension (Dimension #2), we recorded the relevance of data to set up the applications for regulators and regulated entities alike (Dimension #3), and achieve the promised benefits, whilst not neglecting the risks (Dimension #4).

6 The RegTech literature phases

Four main phases emerged from the analysis of the academic contributions on RegTech, as it evolved over time.

6.1 Phase 1, 2009–2014 – XBRL: the ante litteram RegTech

In the period immediately after the financial crisis of 2007–2008, the academic world concerned with the effect of digitalisation on the regulatory realm focused nearly exclusively on the eXtensible Business Reporting Language, XBRL (e.g. Apostolou & Nanopoulos, 2009; Bonsón et al., 2010; Ilias et al., 2015), an information technology standard that linked financial figures to an identifying tag, thus creating an unambiguous means of identification. In this way, information could be exchanged between different applications and systems, while the users, including the regulators, found the data easier to extract and analyse (Liu et al., 2014). Since 2001, China, Spain, the USA and other jurisdictions have backed XBRL development, as the regulatory agencies felt that a standardised financial reporting data format was necessary (Gray & Miller, 2009; Liu et al., 2014; Srivastava & Kogan, 2010).

Since this initial phase, data has taken centre stage in the RegTech world, with academia supporting XBRL’s fundamental role of creating an integrated financial information environment, where information is generated, reported, reused, combined and analysed throughout the business community (O’Riain et al., 2012). Academics have investigated the possible benefits of XBRL, from lower costs of producing information to higher transparency, with positive effects in terms of reduced equity capital costs for the companies using this IT standard (Gray & Miller, 2009; Hao et al., 2014). Scholars, nevertheless, have drawn attention to concerns about the credibility and reliability of information contained in an XBRL format, as well as to the inconsistencies and errors (Bartley et al., 2011; Boritz & No, 2008).

6.2 Phase 2, 2015–2017 – The emergence of RegTech literature

In November 2015, the UK Financial authority, the FCA, issued a Call for Input for the development and adoption of RegTech, suggesting that “to enable effective competition and promote innovation, it is important that technologies that help firms better manage regulatory requirements and reduce compliance costs are supported” (FCA, 2015, p. 1). This call alerted other authorities, practitioners and scholars. In the two following years, in parallel with papers that were covering XBRL (e.g. Liu et al., 2017; Oswari & Januarianto, 2017; Pinsker & Felden, 2016), a first set of academic contributions studying RegTech appeared on the scene, shedding light on the first important pillars underpinning these solutions. Firstly, artificial intelligence (AI), big data, distributed ledger technology (DLT) and APIs and others were identified as fundamental technologies in the development of RegTech applications (Arner et al., 2017a; Barberis & Arner, 2016; Sheridan, 2017). Secondly, those early works set about showing how regulated entities could turn to RegTech to comply on matters such as anti-money laundering measures, capital requirements regulation, regulatory reporting and risk assessment (Arner et al., 2017a; Barberis & Arner, 2016). The regulated entities were not the only ones using RegTech, as its scope expanded to regulators, who saw its usefulness in monitoring or assessing and managing systemic risks, among other aspects (Arner et al., 2017a). Thirdly, academics focused on the possible benefits of RegTech, including savings in cost and time and higher efficiency and effectiveness (Arner et al., 2017a; Barberis & Arner, 2016). Lastly, even at this stage, it became fully clear that data had acquired a cornerstone position, as RegTech requires and enhances data collection, data quality and data analysis (Arner et al., 2017a; Barberis & Arner, 2016).

6.3 Phase 3, 2018–2020 – The surge in RegTech literature

The third phase saw a surge in the literature on RegTech (with nearly 60% of all papers from 2009 to 2020 being published in this period), with scholars revisiting and outlining the fundamental pillars set out previously. Academics no longer focused on the RegTech benefits alone, they also investigated its risks and limits, examining threats in privacy and data protection and cyber security concerns in general (Buckley et al., 2020; Lee, 2020). Other scholars woke up to the fact that authorities and supervisory bodies were applying these technologies, and began studying SupTech and its applications in supervision, fraud prevention and prudential regulation enforcement (Anagnostopoulos, 2018; Kavassalis et al., 2018; Micheler & Whaley, 2020). Another group started discussing the effects of RegTech on regulatory models. Yang and Li (2018) suggested that continuous monitoring tools designed to identify problems as they developed could contribute towards building a real-time, predictive, top-down and transparent regulatory system. Michaels and Homer (2018) and Buckley et al. (2020) suggested that data abundancy and technologies could encourage technology-led data-driven supervision, enabling a risk-based regulatory approach. Kurum (2020) investigated the usefulness of regulatory sandboxes in testing and learning how to use innovative technologies for compliance purposes in a secure way. Others, such as Micheler and Whaley (2020), discussed how RegTech could be integrated into the various regulatory strategies for financial regulation (e.g. command regulation, self-regulatory approach or meta-regulation, where choice of strategy lies between control and freedom). In the latter part of this phase, a series of papers concentrated more on specific dimensions and applications of RegTech (such as Roszkowska (2020), on the impact of RegTech on auditing processes), opening the way to the fourth, and current, phase of RegTech literature.

6.4 Phase 4, 2021-ongoing – Towards focused RegTech literature

In the current phase, along with contributions in continuity with those of the previous phase, an increasing number of scholars are focusing on more specific dimensions and applications of RegTech.

The authors of an interesting group of papers are tapping into the burgeoning role of sustainability, seeing for instance how DLT can support ESG reporting, by promising agile, transparent and automated data collection processes (Cerchiaro et al., 2021). Another series of works look at how new technologies can help to eliminate the vulnerabilities in climate risk management processes, showing that climate change data can impact on company exposure and slotting transparency into regulatory reporting at financial institutions (Miglionico, 2022). Other papers are concerned with RegTech in crisis resolution (ResTech), as its application in this area can support resolution authorities in their work to develop resolution plans and the resolving of financial firms (Loiacono & Rulli, 2021). Others still evaluated the ramifications of RegTech in the light of specific regulations, such as the Basel III regulatory framework (Huang, 2021). As the market evolves and more RegTech applications emerge, we can expect that the academic literature will turn up the spotlight on specific applications, possibly adopting more quantitative methodologies as data become more available.

7 Conclusions

Digitalisation is rolling through financial markets, and one of its incarnations, RegTech, the focus of this paper, is promising higher efficiency and effectiveness. We are proposing a comprehensive multi-dimensional framework, which can be deployed to organise the main body of knowledge and, by connecting and comparing the existing literature, shed light into the less scrutinised corners of RegTech.

The resulting multi-dimensional framework bridges across four main dimensions, starting with regulation and technology (Dimension #1), where various technologies (big data, artificial intelligence, machine learning, deep learning, DLT, Blockchain and smart contracts, APIs, biometrics, Internet of Things, cloud computing and so on) are applied to single or sets of regulations, which are not necessarily financial in scope.

Data (Dimension #2) takes on a central role, in that data centricity and data sharing open up the discussion on data ecosystems, where additional value can be attained by each market participant, while data automation and machine readable regulations enable regulators to pull data directly from the banks’ own systems and combine these data with data obtained directly from customers or other external sources.

Several applications emerged from our work (Dimension #3). The applications cover matters of compliance, monitoring, risk management, reporting and operations, both for regulated entities, which have a bearing in several regulations, as well as for non-regulated entities (e.g. start-ups, tech companies, service providers, not-for-profit organisations). These applications range from tracking updates in regulation to setting alerts, monitoring and analysing a number of risks (compliance, cyber, counterparty, operational), gathering information and defining potential scenarios, reporting to supervisory bodies and to internal controllers, and other practices leading to improvements in customer profiling and identity verification, or even monitoring corporations for their environmental compliance. From their side, the authorities can leverage on RegTech (SupTech) solutions to make policies, to undertake their authorising, supervising and enforcement operations, for monitoring and controlling purposes, and even to issue fines automatically.

As a consequence, stakeholders can reap a series of benefits (see Dimension #4), starting with higher efficiency and effectiveness, to achieve accuracy, transparency and lower compliance costs, spending less time and effort on these matters and discarding repetitive tasks. RegTech can also be the driver behind a better interpretation of regulations, it can thus enable faster real-time operations and encourage economic growth, financial stability and competitiveness and greater financial inclusion.

Stakeholders are potentially at risk as well, primarily from cyber risk, algorithmic biases, use of low quality data, which, if underestimated, could induce a worse outcome than before. The way in which human resources and technology will coexist may cause trouble further along, bringing into play dehumanisation and communication problems between experts in law, computer science and technology.

Our results show that RegTech, as a complex concept and a continuously evolving array of solutions, should be studied without losing sight of the wider picture, even when drilling down to lower layers and dimensions of relevance. In that RegTech is in itself the multidisciplinary nexus connecting technology, regulations and data, bringing together law experts, technology experts and data analysis experts, it is clear that gone are the days when they could work with a silo mentality.

RegTech applications require, or at least induce, higher digitalisation in compliance processes, imposing the need to leverage more extensively on data and technological innovations. Data centrality, and the essential condition for data to be properly managed, stored and protected, is likely to become critical in RegTech and this is a bridge that will have to be crossed. What emerged, moreover, is that supervision and regulation are expected to progress in a more data-driven direction, propelling interaction between regulators and regulated entities, introducing a more predictive, proactive, transparent and responsive objective and potentially unearthing new ways to handle regulations. So far, the regulation side has taken a more prudential approach and the system has gained, but the downside has been higher compliance requirements and costs for the regulated entities, possibly limiting their innovative verve and also restricting the entry of new players to the market, who/which would be unable to do so under the current complex and expensive regulatory requirements.

Lastly, with many players offering solutions in this field, there could be potential conflicts of interest, or fallouts on the competitive landscape and, with RegTech entities working with both the authorities and the regulated entities, we may reach the point where Chinese Walls are built and RegTech is itself regulated.