Reality check on RegTech: What makes a good venture case?
Over the last four years Compliance Technology (“RegTech”) has been touted as one of the most significant new themes in financial services since Fintech and neobanks.
The enthusiasm is justified from an industry standpoint. By some estimates, spending on Compliance now eats up more than 4% of bank budgets. More than $300bn has been paid in fines since the 2008 financial crisis. Doing business in banking has become a lot harder and more expensive.
As it should, Technology rose to the challenge and the broader financial services ecosystem lent its support. Nowadays, nearly every consulting firm has an opinion on RegTech and most of them have partnerships with vendors. Incumbents started evaluating solutions and as exploring partnerships.
RegTech entrepreneurial activity increased, mirroring the industry excitement. As of June 20, 2020, a well-known startup database is following as many as 276 RegTech companies at the seed and early stages. The firm also reports $574m of seed and early-stage venture investments in 2019, up from $265m in 2015.
It is thus tempting for investors and entrepreneurs to see RegTech as the new ‘Payments’ space to enter or invest in. However, we have identified some headwinds that suggest this narrative needs to be reframed.
In our view, many RegTech startups will grow into valuable businesses, but the conditions needed to make them billion dollar companies are not necessarily present. This note summarises our findings and our reasoning.
The catalysts
RegTech is not really new as an investment space. In the early 2010s few people took interest in it. On-premise solutions and inhouse-built applications were supporting processes that were only loosely digitised, if at all. So why did RegTech become such a hot topic? We believe there are three key factors.
First, financial regulation has become complex and more tightly enforced. Since the 2008 crisis, financial institutions have come under more scrutiny from regulators and the larger public. There are now more regulatory bodies (e.g. EBA, ESMA), more rules (e.g. EMIR, MiFID II), and a higher pace of regulatory change to comply with (e.g. 52k changes globally in 2015, up from 14k in 2011).
In response, the industry has been throwing people at the problem. Manual work, loosely-integrated spreadsheets and databases were the first response. And they have not left since. During our interviews, we learnt that a global European bank has close to 800 FTEs doing regulatory monitoring, impact assessment and related project management. Another pan-European Bank player has c. 300 FTEs for the same tasks. And another European mid-market bank has c. 80 FTEs handling anti-money laundering (AML) alerts.
Second, technological capability has improved. Advanced technology (e.g. deep-learning, fuzzy matching models, network analysis) needed to solve compliance-related problems is now available. In addition, banks and insurances are now open to (and even interested in) working with modern architectures and deployment models. The “Cloud” is no longer a taboo, and partnering has become easier.
Third, banks and insurances have become more digital. Their business lines are generally under competitive pressure. Accordingly, client demands have evolved. Turnaround times must be short (e.g. onboarding, payments or general execution). Risks have also changed, but so have mitigation measures. Selecting good RegTech partners helps financial institutions to reduce friction in their customer journey and mitigate risk effectively.
The hurdles
Selling to banks and insurances is difficult. Long and hard sales cycles of twelve to eighteen months are the norm for annual contract values (“ACV”) in the high five digits and above.
This stems in part from the banks’ desperation to reduce costs and protect profit lines since the 2008 crisis. Change-the-bank budgets are tight. Longer lead times and good arguments are required to slot new investments in, regardless of the potential savings further down the road.
Risk management and compliance functions are also by their nature highly risk averse. We learned that decision-makers, given their own accountability to the regulator, want to be 200% sure that a new solution works. Sunsetting an inefficient but working system requires high levels of trust. Limited track records and confidential partnerships (not uncommon in defense technology) make it difficult for young companies to build up credibility.
This risk aversion is also deeply rooted within internal IT departments. Given their own exposure, it takes a lot to persuade a CIO to consider opening their company’s technology architecture. In addition, RegTech solutions generally operate on end-client data. Startups therefore have to go through extensive infosec due diligence to close a deal.
We also noticed that new entrants sometimes fail to identify the real industry pain points. Real-time AML screening for example is not a regulatory requirement in the EU, despite what some firms like to suggest. However auditability, traceability and transparency are. Data integration challenges are also often overlooked when looking at deep-learning solutions. This confusion is understandable given that the space is hidden from industry outsiders.
Finally, the business models of many RegTech solutions offer limited upside potential. Most startups are in the business of saving banks money, not making more of it. Unlike payment businesses, a large majority of RegTech firms capture no commissions on dollar volumes. And they do not get a cut of the fines that they helped the bank to avoid paying.
SaaS and usage-based pricing models address some of these concerns. But even so, only a few solutions boast value propositions impactful enough to generate stellar annual contract values.
Implications for venture investments
Venture Capital economics rely on outsized successes. We aspire to back the next unicorns, or generate at least 10x on our investments. And as suggested earlier, few companies will be able to post ACVs, revenues, margins and growth rates high enough to justify billion-dollar valuations.
So far, exits of compelling magnitude have been scarce. Biometric authentication company FacePhi for example lPO’ed at a market capitalisation of c. $500m in February-20. KYC / AML company RDC was acquired for $700m by Moody’s in January-20. For comparison, older-generation AML suites only warranted valuations of $286m for Norkom (acquired by BAE) in 2011 and $280m for Actimize (acquired by NICE) in 2007.
Some companies are on track for decent exits, however. AML company Verafin raised $389m in its series D, with its value estimated at close to $1bn. KYC / ID-verification company Onfido took about $100m in series D, suggesting a valuation in the high three-digit millions. This suggests we need to keep our eyes open.
What we, as investors, look for
Let us say it clearly here: CommerzVentures is on the lookout for gems in the RegTech space.
Given the finite pool of addressable financial institutions, the compelling candidates should be able to generate substantial ACV at maturity, either thanks to:
- An expandable value proposition (e.g. data-integration models: AML to NBO, Credit Risk Management, Market Risk Management)
- The ability to unlock sizeable cost reductions (i.e. HC reductions; lower run-the-bank expenses)
- A scalable model providing participation in volume, or usage (i.e KYC)
We also believe that the prime candidates for venture investments should exhibit, among others, some of the following characteristics:
- Financial and operational ability to manage and win over long sales cycles (18m+)
- Regulator-friendly solutions (e.g. auditable; white-box; risk-neutral or reducing)
- Founding teams with industry insiders, and an excellent FS B2B track record
So are you an entrepreneur in the RegTech space? Are you tackling a tricky problem for the industry?
Give us a shout! We are looking forward to having a conversation with you.
