What is RegTech?

| Article
RegTech, or “regulatory technology,” refers to technologies that improve processes at financial-services organizations, particularly those related to risk and compliance.
A stylized miniature bank building with the word "BANK" on its facade sits on top of a blue smartphone.
A stylized miniature bank building with the word "BANK" on its facade sits on top of a blue smartphone.

The effects of the 2008 financial crisis are still being felt today—in many sectors and in many ways, both obvious and subtle.

The crisis’s immediate effects on financial institutions are well known. After the collapse or near-collapse of major banks, and in response to the newly exposed weaknesses in risk management, regulation, and overexposure to certain products (for example, mortgage-backed securities), many governments put in place more—and more complex—regulatory requirements. The United States, for example, passed the Dodd–Frank Act, which increased oversight of banks and financial institutions. Meanwhile, many other countries implemented regulations according to the Basel III rules, which were developed by the Basel Committee on Banking Supervision.

Get to know and directly connect with senior McKinsey experts on RegTech

Andreas Kremer is a partner in McKinsey’s Berlin office; Dan Williams is a partner in the Washington, DC, office; Krishna Bhattacharya is a senior partner in the New York office; Sebastian Schneider and Thomas Schumacher are senior partners in the Munich office; Theodor Vendrig is a partner in the Oslo office; and Julian Fuchs-Souchon is a knowledge expert in the Stuttgart office.

Banks have struggled to meet these requirements ever since. In 2024 alone, banks paid $19.3 billion in penalties—a higher figure than ever before. To help manage their regulatory obligations, banks can look to regulatory technology, or RegTech. RegTech solutions are software programs that automate and improve how businesses manage compliance, monitor risk, and report to regulators, with each software update reflecting the most current regulatory requirements.

What led to the formation of the RegTech industry?

Around the same time as the 2008 financial crisis, a wave of new technologies (including artificial intelligence, machine learning, cloud computing, and biometrics) became widely available at lower costs than ever before. This made it possible for RegTech providers to develop cutting-edge solutions for financial institutions that needed to comply with postcrisis regulations and increase the efficiency of their processes, which had largely been manual up to then.

By 2016, the term had become commonly used at industry conferences, and the RegTech Association was founded in 2017. Today, what was once considered experimental in the risk and compliance domains is now essentially mandatory technology for leading financial institutions.

Learn more about McKinsey’s Risk & Resilience Practice.

Circular, white maze filled with white semicircles.

Looking for direct answers to other complex questions?

Explore the full McKinsey Explainers series

What are the core categories of the RegTech market and how have they evolved over time?

RegTech solutions fall into four main categories: financial risk and capital management; governance, risk, and compliance; cyber and IT security; and financial crime. Each category comprises various segments that can be mapped to a specific set of regulations and is served by a discrete set of providers.

Here are examples of RegTech solutions in each category:

  • Financial risk and capital management. Asset and liability management (ALM) is an essential process banks use to balance assets (such as loans and investments) against liabilities (such as deposits and borrowings) while managing risks, including interest rate fluctuations, liquidity shortages, and funding costs. Financial institutions can use RegTech to manage ALM and comply with regulations: for example, through tools that support fund transfer pricing and liquidity management. RegTech solutions also support dynamic planning, which improves the governance and insights that banks use to navigate volatile financial environments. (European financial institutions most often cite risk management as the reason to implement RegTech; see Exhibit 1 for more.)
  • Governance, risk, and compliance. Banks operating internationally need to comply with a significant number of regulations across regions. Their compliance teams are continuously screening, analyzing, and interpreting regulations for their own institutions—a process that RegTech can simplify. RegTech enables banks to scan their regulatory environments more holistically, across jurisdictions, issuing bodies, and languages. These solutions can also help banks analyze, interpret, and even map regulatory requirements according to current policies and controls.
What reasons did European financial institutions report for wanting to implement RegTech?
Case study

Achieving near-perfect regulatory compliance with RegTech

At one US-based bank, the legacy regulatory management solution fulfilled less than 75 percent of its regulatory obligations. This gap left the organization vulnerable to regulatory scrutiny and potential fines. The solution also required substantial manual intervention and reliance on third-party legal services to address outstanding regulations, provide supporting narratives, and map obligations to internal policies and controls.

To address these inefficiencies, the bank implemented a solution from a RegTech vendor that fully automated its process for regulatory changes, or how organizations manage and adapt to new or updated regulations. The RegTech platform integrated with existing governance, risk, and compliance systems, then automated the capture, classification, standardization, and mapping of regulatory data across the relevant jurisdictions. This solution eliminated the company’s need for manual processes and reduced its reliance on external legal services. After implementing RegTech solutions, the bank achieved a compliance rate of higher than 95 percent.

  • Cyber and IT security. More than 150,000 European companies will soon be required to comply with updates to the bloc-wide Network and Information Security 2 Directive (NIS2), which was originally adopted in 2023. As financial institutions prepare for the new regulations, RegTech can help them identify any compliance gaps between the new requirements and their current operations.
  • Financial crime. Regulations related to financial crime (such as the European Union’s anti-money-laundering frameworks and the US Bank Secrecy Act) require financial institutions to monitor all of their transactions and payment flows so they can detect and report cases of money laundering. RegTech suppliers that use AI for transaction monitoring as well as a rule-based methodology can help financial institutions increase their detection of crime and reduce false positives.
Case study

Enhancing fraud prevention with behavioral biometric RegTech

In Latin America, one major bank was struggling with fraud and was unsatisfied with its existing monitoring system, which blocked less than half of the fraud attempts it experienced.

By integrating a third-party RegTech solution that used behavioral biometrics, the bank’s fraud detection rates improved to more than 90 percent and its rate of false positives reduced by 66 percent. The solution provided real-time fraud prevention and a tailored approach, which closed critical gaps in the bank’s earlier system and enhanced security for customers.

Today, McKinsey estimates that about 1,000 firms, from smaller challengers to incumbent risk and IT providers, offer RegTech services of some kind. Notably, existing providers have also been rebranding their services to associate themselves with the rising RegTech brand.

What are the main drivers of the RegTech market’s growth?

There are four main drivers of the RegTech market’s growth:

  • Complex and dynamic regulatory requirements: Financial institutions face substantial regulatory requirements, including highly complex legislation (for example, the Basel III framework). For global organizations, meeting regulatory requirements across geographies can present an especially significant challenge.
  • Compliance-related fines: In general, financial institutions want to avoid attention from regulators. Events such as on-site audits frequently lead to additional probes and fines, which can cost companies billions of dollars.
  • Higher regulatory standards: As regulators become more aware of the RegTech solutions on the market, they have increasingly higher expectations for the organizations under their remit.
  • Digitalization, automation, and cloud adoption: Many financial institutions are moving toward replacing, or have already replaced, on-premises hardware solutions with cloud offerings. Cloud solutions can be updated easily and often, which makes it easier for companies to adapt to changing regulations and requirements.

Learn more about McKinsey’s Risk & Resilience Practice.

What are the prospects for the RegTech market?

McKinsey believes that the technology-related share of risk and compliance budgets will continue to grow, and in the process augment the capabilities of human workers in these functions. Demand for RegTech will be driven by the need to meet increasingly complex and fragmented regulations—thanks to geopolitical shifts, among other trends—and the segment is expected to grow by up to 14 percent until 2028.

In the near future, specialized RegTech providers—particularly those that address financial crimes and cybersecurity—are likely to continue outperforming more generalized, end-to-end vendors. McKinsey expects those two areas, in addition to governance, risk, and compliance, to grow faster than others, such as balance sheet management or market-risk-related software. Across geographies, RegTech providers currently serve clients primarily in North America and Europe. RegTech markets in the Middle East and Africa may experience faster growth due to lower penetration (Exhibit 2).

Of the top 100 RegTech firms, 81 are headquartered in North America or Europe.

What should private equity investors consider when investing in RegTech companies?

Private equity investors interested in this sector should consider the following three market points:

  1. Stickiness and longer sales cycles: RegTech products are sticky. Financial institutions may take up to two years to decide whether to purchase a RegTech product, but it’s unlikely that the product will be replaced quickly since compliance is so important to financial institutions. For RegTech providers and their investors, this brings challenges as well as opportunities. On the one hand, strong sales teams have to spend a lot of time up-front with customers; on the other, the revenue streams are reliable and companies may be able to shift to value-based pricing (that is, when a product’s price is based on its value to the customer rather than the cost to produce it).
  2. Logic underlying regulatory requirements: Each RegTech solution aims to solve a specific problem—many of which relate to a specific set of regulatory requirements. However, regulation is mercurial. As geopolitical and other macroeconomic shifts occur, we could see further changes in regulation or even periods of deregulation that render certain solutions partially or wholly irrelevant. Investors should ensure they have a deep understanding of the regulation on which a RegTech solution is based, as well as the RegTech’s value proposition, before issuing valuations.
  3. “Herd mentality” at financial institutions: At risk-averse financial institutions, it’s not uncommon that leaders may favor an incumbent service provider over an upstart. Given the nascence of the industry, many RegTech providers fall into the latter category, so they may have to work harder to convince financial institutions of their value.

Learn more about McKinsey’s Risk & Resilience Practice.

What should financial institutions consider when evaluating potential RegTech solutions?

Financial institutions interested in RegTech should consider the following:

  • Market developments: Financial institutions should stay informed about market developments within RegTech, including AI compliance regulations and improvements in scam protection.
  • Combinations of specialized solutions: Choosing a RegTech solution need not always be an either-or decision. Financial institutions frequently engage multiple specialty RegTech providers rather than work with a single, generalized end-to-end solution.
  • Focus on data quality: RegTech firms frequently offer sophisticated AI algorithms to approach specific problems, but these algorithms won’t work well with low-quality data. If a financial institution’s data is not of high quality, then engaging a RegTech provider could be a waste of resources. For financial institutions, improving data quality should be a prerequisite for deploying RegTech solutions.

Learn more about McKinsey’s Risk & Resilience Practice

Pop quiz

Articles referenced:

A stylized miniature bank building with the word "BANK" on its facade sits on top of a blue smartphone.

Want to know more about RegTech?

Talk to us

Related Articles
A cluster of smooth, blue, rock-like shapes seemingly floating against a deep blue background. The shapes vary slightly in size and are clustered together, creating a visually interesting, abstract form.
Article
Governance, risk, and compliance: A new lens on best practices
A grid of dark blue cubes with a mix of glowing blue and magenta binary numbers and orange padlock icons.
Article
The cybersecurity provider’s next opportunity: Making AI safer
Three columns made up of colorful squares. The left column is chaotic, the middle has modest order, and the right is fully organized by the color of the square.
Article
How generative AI can help banks manage risk and compliance