The global financial crisis raises profound questions about how financial markets and the participants in those markets should be regulated. The scale of the crisis has meant that issues which are normally discussed only by technical experts now are the subject of public debate. However, much of this public debate (and even some academic debate) about the future of financial regulation seems to assume that introducing a few new national and transnational institutions and changing a few rules can make a significant difference. For this reason, Kenneth Bamberger’s article, Technologies of Compliance: Risk and Regulation in a Digital Age, forthcoming in the Texas Law Review, is essential reading. The article shows that it is necessary to think about the ways in which private and obscure technologies of compliance risk distorting financial regulation.
Over the last few years, and somewhat ironically given the crisis, financial regulation has evolved to emphasize risk management by financial firms. Regulators have identified many varieties of interconnected risks which financial firms should manage. But although the crisis illustrates weaknesses in how financial firms have in fact managed the risks involved in their businesses, risk management as a focus of regulation is clearly here to stay. The G20, most recently in the Leaders’ Statement from the Pittsburgh Summit, and the Basel Committee (for example in its revisions to the Basel II market risk framework) continue to emphasize the idea of risk management as a core component of financial regulation. Policy makers are advocating the development of more sophisticated domestic and transnational institutions for the management of systemic risk.
The complexities of large financial corporations and financial regulation are such that modern risk management is necessarily a zone of automation. Transnational systemic risk management is also likely to involve automated systems. But although some of the critiques of the financial regulatory system in which the crisis was born, such as the UK’s Turner Review, note that regulators had acquiesced in the market’s over-reliance on complex mathematical models for risk management (in particular in the context of capital adequacy), the larger debate around financial regulation tends to be innocent of the complexities of compliance. By unpacking some of the layers of financial regulation, Bamberger provokes his readers to think carefully about the implications of the use of automated compliance systems for risk management.
Programmers who develop automated compliance systems, Bamberger argues, effectively make choices about how to interpret the law, and how to translate it into code. The law as applied may be different in important ways from the law that legislators and regulators promulgated — not least because the regulators’ choices to emphasize principles rather than rules are subverted by an implementation which turns principles into rules. Not only is law modified through the actions of managers of financial firms in applying it, but it is modified, perhaps in ways not fully understood by managers, by the programs which are used to apply it. Bamberger describes the processes which generate compliance systems as involving interactions between separate expert systems which communicate with each other imperfectly. The resulting risk management systems are ultimately a source of risk.
In contrast to public processes for the development of laws and regulations, the processes which generate compliance systems are private and opaque. Bamberger argues that choices about the interpretation of law should not be made by “private third-parties invisible to regulators.” He asks: “how does the technological instantiation of law-elaboration through implementation fare in light of the public law norms of accountability, effectiveness and legitimacy that traditionally govern the exercise of delegated discretion?”
Bamberger thus shows us that automated compliance systems are problematic from the perspective of genuine risk management and also from the perspective of good governance. The solutions he proposes for both sets of problem involve increasing transparency and improving the technical expertise of regulators, facilitating a dynamic collaboration of regulators and firms to develop effective risk management systems, including recognizing the importance of human judgment. Bamberger is not the only scholar whose work suggests that corporate lawyers should become more familiar with the implications of new governance scholarship, but his elegant unpacking of the subtle issues involved in automated compliance and the implications of this unpacking for thinking about risk management make this article required reading.