In this post, we describe a recent example of technology allegedly being used to evade regulations and frustrate regulators – a phenomenon that we call “anti-RegTech”.
But first, what is “RegTech”? RegTech generally refers to the use of technology by businesses to help comply with regulatory requirements more efficiently. It has largely been welcomed by regulators across the globe. But, as with all technological innovations, RegTech can be used for both legitimate and illegitimate purposes.
This post was written by Urszula McCormack, Evan Manolios and Jack Nelson.
Uber and “greyballing”
Uber’s ride sharing app presents an interactive map to its users that displays all available cars in a given location. But last month the New York Times revealed that Uber had been presenting an altered map to certain users, replete with phantom cars that would not accept rides.
Uber claimed that this “greyballing” technology was used for market testing and promotions.
However, Uber’s ride-sharing services remain illegal in many jurisdictions – most recently, five Uber drivers in Hong Kong were fined and banned from driving for one year. By greyballing regulators and law enforcement, Uber could arguably prevent them from gathering the evidence necessary for legal action.
This is largely down to the fact Uber had the ability to selectively greyball specific users. Users to be greyballed were allegedly identified using geolocation data, credit card details and social media profiles. Collating this data, Uber was apparently able to determine which users were likely to be regulators or law enforcement based on whether, for example, their credit card was linked to a police credit union, or the amount of time that they spent inside transport department buildings.
Given the early stage of RegTech development, it is unclear how much of an issue anti-RegTech will be going forward. But, as the use of technology in the regulatory space increases, so too does the commercial incentive to manipulate that technology, or create other technologies to evade regulation. This might include, for example:
- an algorithm that divides up large money transfers into smaller transactions, so as to fall under money laundering trigger amounts;
- an app that manipulates social media profiles, to dupe Know-Your-Customer checks; or
- a program that facilitates tax evasion by randomly and minutely altering a merchant’s sales records, leading to an under-reporting of income.
How regulators police anti-RegTech is also unclear. The Uber case demonstrates that keeping the lid on large-scale regulatory avoidance is difficult. Nonetheless, more drastic measures, including mandatory software examinations by regulators (beyond those already being undertaken), may become the norm if anti-RegTech becomes a widespread phenomenon.
What are the legal issues?
There isn’t generally a law against anti-RegTech, but there are several ways in which anti-RegTech can breach local law and regulation, depending on the facts. For example:
- fraud, misrepresentation etc – where an element of deceit is involved;
- actual breach of law – for example, market misconduct, tax evasion, money laundering or sector-specific laws such as environmental protection;
- accessorial liability and complicity by aiding, abetting etc an offence;
- breach of ancillary legal protections – for example, the use of “matching” technology in breach of local privacy laws; and
- breach of regulation – involving a breach of the standards of conduct imposed by a regulator on its licensees. We would expect this to be the case in anti-RegTech applications used by a regulated financial services company (or its agents).
There could be a range of other risks.
What you need to think about
This is a case of “Know-Your-Technology”. It is not enough to have one legitimate purpose, if the technology can (and is) being used for regulation-defeating purposes.
The key questions to ask include the following:
- What tools is my business using, or proposing to use?
- Does it have a legitimate purpose that we can demonstrate?
- Does it have any other purpose(s) that could be perceived as evading regulation, or possible unintended uses? What are the issues?
- How are we managing that risk? For example, can we apply appropriate blocks or conditions? Do we need to give our Tech people a steer on the parameters of what is okay and what is not?
- Do we need to include anything in our agreements with IT professionals and outsourcing contracts?
Investigations and enquiries from regulators must also be carefully handled. They are very easy to lose control over, particularly when press coverage is involved and staff involved in regulatory communications are not across the technical and legal specifics.