As emerging technologies drive new business and service models, governments must rapidly create, modify, and enforce regulations. The preeminent issue is how to protect citizens and ensure fair markets while letting innovation and businesses flourish.
Sweeping technological advancements are creating a sea change in today’s regulatory environment, posing significant challenges for regulators who strive to maintain a balance between fostering innovation, protecting consumers, and addressing the potential unintended consequences of disruption.
Explore the Future of Regulation collection
Read more from the Government & public services collection
Subscribe to receive related content
Emerging technologies such as artificial intelligence (AI), machine learning, big data analytics, distributed ledger technology, and the Internet of Things (IoT) are creating new ways for consumers to interact—and disrupting traditional business models. It’s an era in which machines teach themselves to learn; autonomous vehicles communicate with one other and the transportation infrastructure; and smart devices respond to and anticipate consumer needs.
In the wake of these developments, regulatory leaders are faced with a key challenge: how to best protect citizens, ensure fair markets, and enforce regulations, while allowing these new technologies and businesses to flourish?
The assumption that regulations can be crafted slowly and deliberately, and then remain in place, unchanged, for long periods of time, has been upended in today’s environment. As new business models and services emerge, such as ridesharing services and initial coin offerings, government agencies are challenged with creating or modifying regulations, enforcing them, and communicating them to the public at a previously undreamed-of pace. And they must do this while working within legacy frameworks and attempting to foster innovation.
As seen from the history of early automobile regulation (see “A history lesson” sidebar), tough restrictions on motor vehicles—laws designed to protect pedestrians, horse-drawn carriages and even cattle—delayed advances in automobile development by decades. Today, regulators face similar challenges. They must balance their charge to protect citizens with advancing innovation in new technologies and businesses, resisting the urge to overregulate.
This study is the first in a series of Deloitte papers on the future of regulation. The next study will explore how regulators can utilize technologies and tools like machine learning, text analytics, and design thinking to dramatically change the way they operate, generate efficiencies, cut costs, and increase compliance and adoption.
This paper begins by exploring the unique regulatory challenges posed by digital-age technologies and business models. Section two describes the four critical questions policymakers and regulators must address when it comes to regulating the digital economy. Finally, section three provides a set of five principles to guide the future of regulation:
Scholars have identified a host of challenges emerging technologies present to traditional regulatory models, ranging from coordination problems to regulatory silos to the sheer volume of outdated rules.1 We have grouped four of the most important challenges into two buckets: business and technological (see figure 1).
“Can regulators keep up with fintech?”2 “Drone regulators struggle to keep up with the rapidly growing technology.”3 “Regulatory scramble to stay ahead of self-driving cars.”4 “Digital health dilemma: Regulators struggle to keep pace with health care technology innovation.”5 Headlines like these capture a central challenge to today’s regulators.
Existing regulatory structures are often slow to adapt to changing societal and economic circumstances, and regulatory agencies generally are risk-averse. Rapid adaptation to emerging technology, therefore, poses significant hurdles—and, in turn, to the technology industries, where change occurs at a rapid rate.
“If the volume and pace of digital transformation continues to remain the way it is, the existing regulatory approach won’t work,” says Bakul Patel, the US Food and Drug Administration (FDA)’s associate center director for digital health. The gap between technological advancements and the mechanisms intended to regulate them—often called the “pacing problem”—is only growing wider. “There’s a disconnect between the speed, iterative development and ubiquitous connected nature of digital health technologies and the existing regulatory structures and processes,” says Patel. “The current regulatory approach is not well-suited to support that fast pace of development.”6
The pacing problem has acquired new urgency due to the speed with which modern innovations are scaling.7 Digital products, services, and industries can become very large, very fast. The policy cycle often takes anything from five to 20 years whereas a unicorn startup can develop into a company with global reach in a matter of months. Airbnb, for example, went from 21,000 arrivals in 2009 to 80 million in 2016.8 Meanwhile, cities and states are still trying to figure out how, and if, they can regulate short-term rental markets.9 Ride-hailing services have experienced similar hyper-growth as regulations in the space struggle to adapt.10
Tightening regulation for new, high-visibility industries brings new political and shareholder pressures. It’s one thing if regulation slows the launch of new firms or industries—and quite another if it strangles their growth.
Financial organizations—or “fintech”—are expected to attract more than $46 billion in investment by 2020.11 But this will depend, in part, on regulation. According to one survey, 53 percent of Asian fintech investors cite tightening regulations as one of the biggest challenges to fintech, second only to risk management, and 89 percent believe these regulations will continue to tighten.12
Industry regulatory challenges are compounded by the existing patchwork of regulations. Many national regulatory systems are complex and fragmented, with various responsible agencies exercising overlapping authority. The trade friction resulting from the redundancies and patchworks of regulation lies at the very heart of today’s trade agenda.
Coordinating with regulators across borders is another challenge. Since the late 1980s, many organizations and consortia have cropped up to serve as independent standards-creation bodies that accommodate the unique needs of emerging technology sectors.13
The history of automobile regulation offers a powerful lesson about the potential dangers of overregulating new technologies and industries. While attempting to develop automobiles in the late 1800s, British innovators were severely restricted by acts of Parliament that originally addressed the dangers posed by steam engines. In particular, the Locomotive Act of 1861 required that “locomotives”—defined as mechanically propelled vehicles—be manned by at least two persons and not exceed 10 mph on turnpike roads or two mph when passing through towns.
In 1865, Parliament significantly tightened the rules with an amendment known as the “Red Flag Act.” This law required self-propelled vehicles to be manned by a crew of at least three, with one person walking at least 60 yards ahead of the vehicle, carrying a red flag to warn pedestrians and other vehicles—including horse-drawn carriages—of the approaching locomotive. In addition, the act reduced the speed limit of self-propelled vehicles to 4 mph on highways, while maintaining the two-mph speed limit in towns and villages.14 The act was eventually repealed in 1896, but by that time its provisions had effectively stifled the development of road transport in the British Isles.15
In the United States, several states passed similar “red flag” laws in the late 1800s, to provide safety measures for early automobiles. Pennsylvania contemplated one of the most infamous red flag pieces of legislation in 1896, which would have required all motorists, upon encountering cattle or livestock, to immediately stop, “as rapidly as possible disassemble the automobile,” and “conceal the various components out of sight, behind nearby bushes until equestrian or livestock is sufficiently pacified.” The governor vetoed it.16
The point of this history lesson is not that no regulation was needed. Rather, it illustrates that the regulation enacted tended to reflect an understanding of yesterday’s technologies instead of what was emerging at the time.17 These examples illustrate the “too fast” problem. Regulators are trying to avoid this while simultaneously avoiding the “too slow” problem.
A good example of the latter is the continuing consumer exposure to radioactivity after its dangers were well understood. Hermann Joseph Muller first recognized the genetic effects and increased cancer risk associated with radiation exposure in 1927. But products such as the toy Radiumscope were still being sold into the 1940s18 and X-ray shoe-sizers were still being used until the 1970s.19
Many information-economy activities have developed in utter disregard of the executive branch organization chart, cascading around and across existing lines of authority.20
—Julie E. Cohen, professor of law and technology, Georgetown Law School
Disruptive forms of technological change often cross traditional industry boundaries. As products and services evolve, they can shift from one regulatory category to another. For example, if a ride-hailing company begins delivering food, it can fall under the jurisdiction of health regulators. If it expands into helicopter service, it will fall under the purview of aviation regulators. If it uses autonomous vehicles for passengers, it may come under the jurisdiction of telecommunications regulators.21
Despite facing often challenging regulatory regimes, ride-hailing companies have grown rapidly and have put an enormous amount of pressure on traditional regulatory regimes. Maintaining consistency in rules and regulations is particularly difficult in the sharing economy, which often blurs lines between vendors, facilitators, and customers.
The evolving, interconnected nature of disruptive business models also can make it difficult to assign liability for consumer harm. For example, if a self-driving car crashes, who is liable—the software developer, automobile owner, or the occupant?
Volvo Cars, the Swedish automaker, expects liability to shift from the driver to the manufacturer. “Carmakers should take liability for any system in the car,” Anders Karrberg, vice president of government affairs at Volvo Car Corp., told the U.S. House Energy and Commerce Committee's Digital Commerce and Consumer Protection subcommittee. “So, we have declared that if there is a malfunction to the [driving] system when operating autonomously, we would take the product liability.”22
Similarly, consider 3D-printed products. How should product liability laws be applied? Who is liable if 3D-printed furniture fails? Is it the store that printed the part, the supplier of the design, or the printer manufacturer?
In the case of virtual currencies, the anonymous, decentralized nature of transactions presents a particularly difficult challenge for regulators. In June 2016, the Decentralized Autonomous Organization—a project using the Ethereum blockchain-based platform—was drained of $55 million when an attacker exploited a flaw in the code.23 To date, the culprit hasn’t been identified and questions of liability remain.24 In this case and others, the properties that make technology appealing also can allow scam artists and hackers to take advantage of the industry’s overall lack of maturity.25
We have a legal, regulatory framework built on the basis of mail, paper, words, versus a new world order which is digital, continuous, 24/7, and built on bits and bytes. Somehow we need to square these two worlds.26
—Aaron Klein, policy director, Center on Regulation and Markets, Brookings Institution
The growing use of smartphones, connected devices, and sensors has created a vast digital footprint in consumers’ lives—a trend that will only accelerate.
From a regulatory perspective, one important question is who owns all this data—the user or the service provider who stores it? If the service provider owns the information, what obligation does it have to store and protect it? And to what extent can data be shared with third parties? Can a car manufacturer charge a higher price to car owners who refuse the right to share their private data and less to those willing to share their data?
With no single global agreement on data protection, regulators around the world are taking different positions on these issues. Nearly 30 percent of nations have no data protection laws.27 Those that do, often have conflicting laws.28 The EU’s General Data Protection Regulation (GDPR), for instance, enshrines the principle of privacy, providing strict controls over cross-border data transmissions and giving citizens the right “to be forgotten.”29 In a survey, 82 percent of Europeans say they plan to use their new rights to see, limit, or erase their data.30 The US approach, by contrast, focuses on sector-specific rules (such as health care, financial, and retail) and state laws.
One emerging sector impacted by data regulation is digital health. A key development in digital health technology is Software as a Medical Device (SaMD), which can diagnose medical conditions, suggest treatments, and inform clinical management. SaMD allows patients to play a more active role in their own health care.
Regulatory agencies generally have regulated SaMD in much the same way as traditional medical devices such as heart stents. As the FDA has noted, however, this approach isn’t “well-suited for the faster, iterative design, development, and type of validation used for software-based medical technologies.”31
A stent remains untouched by the device maker once it’s released into the market. Software developers, though, can make continuous changes to their products remotely, after release. These changes may be related to security, feature updates, or improvements based on the data collected from users. But current regulatory practices emphasize vetting before products are released.
Another key regulatory challenge in the digital arena is cybersecurity.32 “Malicious cyberactivity has proliferated,” says the EC’s Andrus Ansip. “It has become more brazen and sophisticated, more imaginative, and international.”33 Cybersecurity is particularly critical in areas such as fintech, digital health, digital infrastructure, and intelligent transportation systems. The financial services industry was attacked 130 million times in 2017, while cyberattacks in the payment space alone have risen by 452 percent since 2015.34
In the digital health field, SaMDs continually collect and analyze data on medical images, physiological status, lab results, and more, raising potentially serious concerns about the protection of patient data. Autonomous vehicles could be targets of cyberattacks as well. What precautions should developers of autonomous vehicles take to ensure malicious hackers won’t force vehicles to crash or manipulate signals to cause traffic jams?
In an April 2017 poll by survey firm Morning Consult, 71 percent of respondents felt there should be national regulations on AI in the United States, and 67 percent called for international regulations regulating AI technology.35 Yet AI in its various forms poses some of the most difficult challenges to traditional regulation.
The “black box” problem. Algorithms today make scores of strategic decisions, from approving loans to determining heart-attack risk. Given the importance of algorithms for consumers and businesses, it is important to understand them and make sense of their decisions. But algorithms often are closely held by the organizations that created them, or are so complex that even their creators can’t explain how they work. This is AI’s “black box”—the inability to see what’s inside an algorithm.
In response, some experts in the field have suggested making algorithms open to public scrutiny. Many aren’t made public because of nondisclosure agreements with the companies that developed them. That’s likely to change, however, at least in the European Union. In May 2018, the GDPR went into effect requiring companies to be able to explain how algorithms using the personal data of customers work and make decisions.36
Algorithmic bias. Algorithms are routinely used to make vital financial, credit, hiring, and legal decisions. In theory, this should lead to unbiased and fair decisions. But some algorithms have been found to have inherent biases. And while in some countries regulations explicitly prohibit discrimination in these and other areas, gray areas exist and often the underlying algorithms are opaque.
“People are basically getting or not getting those things that they need based on scores that they don’t understand and sometimes don’t even know exist,” says Cathy O’Neil, author of Weapons of Math Destruction. “Right there you already have something very dangerous.”37
A widely cited example of algorithmic bias was found in a study conducted by Harvard faculty member Latanya Sweeny. Her study concluded that searches for stereotypical African-American names are up to 25 percent more likely to be displayed alongside an arrest-related ad. Sweeney gathered this evidence by collecting more than 2,000 names suggestive of race. For example, first names such as Terrell, Tyrone, and Ebony suggest the person is black, while Amy, Jake, and Emma suggest the person is white.38
As government policymakers and regulators grapple with the regulatory challenges posed by digital technologies, four foundational questions are critical to address (see figure 2):
The first step in the preregulatory phase should involve a thorough review and understanding of pertinent existing regulations, looking for those that might be blocking innovation, are outdated, or are duplicative. By current state, we refer to the whole ecosystem of regulation that could apply: from vertical service or sector regulation, for example, for motor vehicles; to convergent regulation where multiple sectors are involved; to lateral regulation such as employment or business licensing.
Often such a review hasn’t been done in many years. A Deloitte analysis of the 2017 US Code of Federal Regulations found that 68 percent of federal regulations have never been updated (see figure 3).39
A retrospective review forces regulators to evaluate whether alternatives to regulation or adjustments to current rules could adequately address the perceived problem.40 Denmark, for example, has created a task force to challenge outdated legislation and regulations in the wake of disruptive business models.41 The Danish Ministry of Environment and Food is home to one of the more aggressive regulatory modernization efforts. This includes cutting the number of regulations in its portfolio by one-third, plans to slash the number of laws it administers from 90 to 43, and an update of all existing laws to conform to the digital age.42
How can regulators avoid the too fast or too slow problem? A number of the principles outlined in the next section of the paper (particularly principles one and two, adaptive regulation, and regulatory sandboxes) are designed to help answer the when question by both bringing regulators closer to the technological innovations while also shifting to a more agile regulatory model.
Policymakers have a host of reasons for regulating, but generally, they are trying to protect citizens, promote competition, and/or internalize externalities. Which of these reasons is most important in a given situation will impact how to answer the next critical question: What’s the best regulatory model to use? A wide variety of potential approaches exist between heavy, precautionary regulation on one end of the spectrum and little to no regulation on the other end (see figure 2).
And indeed, in areas ranging from cryptocurrencies to autonomous vehicles, we’re seeing regulatory models across the spectrum. Consider regulations pertaining to unmanned aerial systems (UAS), or drones. Governments have increasingly opted for one of two paradigms in building regulatory systems: UAS Allowance (broader permissiveness of UAS usage) or UAS restriction (usage permitted only within specific limits).
When answering the “what is the right approach?” question, an important consideration is what regulation scholar Adam Thierer calls “global innovation arbitrage.” As he explains: “Capital moves like quicksilver around the globe today as investors and entrepreneurs look for more hospitable tax and regulatory environments. The same is increasingly true for innovation. Innovators can, and increasingly will, move to those countries and continents that provide a legal and regulatory environment more hospitable to entrepreneurial activity.”43
We have already seen this scenario play out with genetic testing, unmanned aerial systems, autonomous vehicles, and the sharing economy.
Considering the rapid rate at which emerging technologies are progressing and business models evolving, it is a good bet that in order to stay relevant, regulations applied today will need to be revisited within the next decade or so. There are a variety of ways to institutionalize such automatic reviews; these range from regulatory sunsetting with periodic review44 to processes like the European Union’s Regulatory Fitness and Performance (REFIT) program, which conducts retrospective evaluations to look for laws that are obsolete or in need of revision.
The following five principles can both help to answer the “when to regulate” and “how to regulate” questions as well as set a foundation for rethinking regulation in an era of rapid technological change (see figure 4).
Shift from “regulate and forget” to a responsive, iterative approach.
Rapid change, pivoting business models, and experimentation are hallmarks of technology-driven businesses—but are rarely the norm in regulation.
Traditionally, regulators conceptualize new rules and regulations in response to market developments or new legislation. Next, they spend months or years drafting rules and presenting a first draft for public comment. Finally, they examine these comments—and there can be tens of thousands or even millions of them—and change the proposed draft accordingly.
The problem with this process is twofold: First, regulators often don’t really know how businesses and consumers will react to new regulations; and second, the rules are rarely reconsidered once in effect.45
Adaptive approaches to regulation, on the other hand, rely more on trial and error and co-design of regulation and standards; they also have faster feedback loops. More rapid feedback loops allow regulators to evaluate policies against set standards, feeding inputs into revising regulations. Regulatory agencies have a number of tools to seek such feedback: setting up policy labs, creating regulatory sandboxes (detailed in the next section), crowdsourcing policymaking, and providing representation to industry in the governance process via self-regulatory and private standard-setting bodies.46
The National Highway Traffic Safety Administration (NHTSA)’s 2016 Federal Automated Vehicles Policy offers an example.47 By taking an iterative approach in designing policy for autonomous vehicles, the NHTSA responded to new data and technologies to make significant revisions to its initial policy of 2017.48
Soft law mechanisms—instruments or arrangements that create substantive expectations that are not directly enforceable—offer another tool for shifting to more adaptive regulation.49 Unlike hard law requirements such as treaties and statutes, soft law can include informal guidance, a push for industry self-regulation, best-practice guidance, codes of conduct, and third-party certification and accreditation.
While not legally binding, soft law instruments have several advantages over formal regulation in the arena of emerging technologies. They allow regulators to adapt quickly to changes in technology and business models, and to address issues as they arise without stifling innovation.50 Moreover, through deep engagement with affected stakeholders, they help regulators understand the nuances of the technology and its potential impacts.
One way regulators can apply soft law is to define the scope of issues to be addressed and ask industry to develop its own standards and codes of conduct in response. Elizabeth Denham, the UK’s information commissioner, has said that regulators should develop broad principles so that industry leaders can develop standards to align with them.51 Regulators then can certify the standards developed by private industry.
Finnish officials recognized the need to reform their transport regulations to support their vision of mobility-as-a-service (MaaS), which considers transportation as an integrated system of different services. “We have to look at the transport system as one entity, with no borders and the ability to share data on payments, tickets, and location,” says Anne Berner, Finland’s minister of transport and communication.
Hence, the country decided not to reform or revise separate laws on taxis, public transport, roads, or the transport of goods but instead to create a new integrated transportation code. “We decided to remove those old laws and create a new transport code that incorporates all transport modes into one piece of legislation, to be technology-neutral, and to create the same level playing field for different transport modes,” Berner says. The aim is to deregulate existing transport while building the foundations for MaaS.52
Prototype and test new approaches by creating sandboxes and accelerators
An accelerating trend for regulatory agencies is the creation of accelerators and “sandboxes,” in which they partner with private companies and entrepreneurs to experiment with new technologies in environments that foster innovation. “The role of a regulator is no longer just a regulator; it's more of a partner in bringing safe and effective technologies to the table for people to have that high confidence in those technologies,” says the FDA’s Patel.53
Accelerators are designed to speed up innovation. They often involve partnerships with private companies, academic institutions, and other organizations that can provide expertise in certain areas. Sandboxes are controlled environments allowing innovators to test products, services, or new business models without having to follow all the standard regulations (see figure 5).
The Canadian Securities Administrators (CSA), for example, launched a regulatory sandbox that provides time-limited relaxation from certain regulatory requirements placed on startups.54 “The objective of this initiative is to facilitate the ability of those businesses to use innovative products, services, and applications all across Canada, while ensuring appropriate investor protection,” says Louis Morisset, CSA chair and president and CEO of the Autorité des Marchés Financiers.55
Impak Finance, for instance, became the first company ever to legally raise $1 million via a cryptocurrency crowdsale in the Americas.56 As part of the CSA sandbox, it was exempted from registering as a security dealer and providing a prospectus. Impak will be allowed to remain in the sandbox for two years.57
Meanwhile, the United States is piloting a sandbox approach for unmanned aerial systems (UAS). The Department of Transportation’s Federal Aviation Administration has chosen 10 public-private partnerships to test UAS. “The pilot programs will test the safe operation of drones in a variety of conditions currently forbidden,” says Transportation Secretary Elaine Chao. These include operations over the heads of people, beyond the line of sight, and at night. “Instead of a dictate from Washington, this program takes another approach,” Chao says. “It allows interested communities to test drones in ways that they’re comfortable with.”58
Sandbox approaches are intended to help regulators better understand new technologies and work collaboratively with industry players to develop appropriate rules and regulations for emerging products, services, and business models.59
Sandboxes are not without their detractors who worry regulators might get too close to the startups and try to prop them up if they stumble in the market.60 With this in mind, the Brookings Institution’s Aaron Klein suggests a better metaphor might be that of a greenhouse: “A greenhouse is a thing in which small plants are put into full sunshine and transparency and allowed a unique environment that's different from the outdoor environment. By definition, it’s more protected and hospitable, and in time, it allows the plants to grow and flourish. Some of the companies in your greenhouse might fail, just like some plants in your garden die; others will grow and flourish, but there's full transparency, with some protection.”61
The United Kingdom has been a pioneer in the use of accelerators and sandboxes as part of the regulatory process. Its Financial Conduct Authority (FCA), as part of its broader Project Innovate, launched the first fintech regulatory sandbox in June 2016. This sandbox allows businesses to test innovative products and services in a safe, live environment, with the appropriate consumer safeguards, and, when appropriate, is exempt from some regulatory environments.62 After its first year of operation, 90 percent of firms that completed testing in its first cohort were continuing toward a wider market launch, and more than 40 percent received investment during or following their sandbox tests.
The FCA released a report on what it learned from its first year. Some key lessons include:
Focus on results and performance rather than form
Traditionally, regulations have tended to be prescriptive and focused on inputs. When the focus of regulation shifts from inputs to outcomes, the way government intervenes in markets changes. This shift can create operational efficiencies for regulators and greater freedom for innovators.
Outcome-based regulation specifies required outcomes or objectives rather than defining the way in which they must be achieved. This model of regulation offers businesses and individuals more freedom to choose their way of complying with the law.
Prioritizing performance and outcomes enables governments to develop regulations (or other, softer mechanisms such as guidelines) that focus on the positive effects regulators are looking to encourage (or the negative effects they’re looking to prevent). Consider three different ways of structuring UAS regulations:
Often, emerging technologies’ real potential can be harnessed only when they are meshed together, such as using blockchain to secure data generated by autonomous vehicles, or using a combination of machine learning and natural language processing to prescribe medication via a chatbot. For such connections to happen, innovators need room to innovate. Outcome-based regulation can provide the leeway needed to experiment.
Australia has developed performance-based guidelines for autonomous vehicles. “Guidelines are preferable to legislation as they allow the flexibility to be quickly amended and updated, if required,” states a policy paper by Australia’s National Transport Commission (NTC). The paper goes on to say that regulations for automated vehicles should be “proportionate, performance-based, and regularly reviewed.”66
Paul Retter, NTC chief executive, believes multiple issues should be addressed before making autonomous vehicle a reality on the road. “Our focus is on ensuring the regulatory system remains flexible enough to accommodate evolving technologies as they come to market while always prioritizing public safety,” says Retter.
Industry stakeholders also are evaluating performance-based standards. The Australian Automobile Association suggests that standards for automated vehicles should be performance-based and technology-agnostic, and that the responsible parties and processes for certifying vehicle modifications should be clearly identified and unambiguous.67
Shift from one-size-fits-all regulation to a data-driven, segmented approach
Speed to market is imperative for businesses, especially startups with business models predicated on emerging technologies. Speed to market also can make digital services and products more effective. As they are used, they usually collect data on their users. With the help of advanced analytics and, in many cases, AI, the data can then be analyzed to detect new patterns and trends, information that can make the product more accurate, safe, effective, and personalized. Because of this iterative factor, the sooner safe and effective products get to the market, the better.
One way to accelerate the approval of business models based on emerging technologies would be to draw inspiration from the precheck systems for airline travel used in many countries. These work by using data to certify low-risk flyers, who then receive a lower level of scrutiny and inspection.
A similar approach could be used to help expedite approvals of new business models. It would allow certain companies to go through a streamlined and predictable approval process, contingent on their providing access to key information.
The State of New Jersey allows commercial trucks enrolled in NJPass to bypass weigh stations. Qualification is based on their Federal Motor Carrier Safety Administration rating and data on history of roadside inspections.68 “This system [focuses] on higher-risk carriers and provide[s] more efficient use of our limited New Jersey State Police resources,” explains Paul Truban, NJDOT’s manager of the Bureau of Freight Planning and Services.69
A data-driven, risk-based approach shouldn’t be just limited to preapprovals, however. It can be extended to a dynamic, regulatory approach, based on real-time data flows between companies and their regulators. Already, many regulatory bodies, from the US Securities and Exchange Commission to the European Commission, have established such data flows with industry.70
The resulting data could then be analyzed and compared with regulations or expected outcomes to decide whether a firm is in compliance. Firms in compliance would be listed as safe, and if not, the data systems could produce a set of action items to meet the standard, or, in the case of a more serious violation, issue reprimands or penalties such as removal from the safe list.
Regulators also can use open data to complement their own data or for independent inspection. In the case of digital health software, a regulator could monitor products through publicly available data on software bugs and error reports, customer feedback, software updates, app store information, social media, and GitHub.71 Once the data flows are integrated, this part of the regulatory process can be automated. Enforcement can become dynamic and reviewing and monitoring can be built into the system.
Consider an experiment in the city of Boston. The city’s usual food safety process, which relied on random selections of restaurants for further scrutiny, needed improvement. The city’s data portal72 hosts public data on restaurant food safety inspections as well as many other aspects of city life. To more effectively identify restaurants in need of regulatory attention, the city collaborated with Yelp and Harvard Business School to sponsor an open competition to develop an algorithm that could predict health code violations. More than 700 contestants participated, using restaurant inspection data and years of Yelp reviews.73
While participants analyzed the reviews, looking for common words and phrases,74 Harvard economists evaluated the submissions against the city’s actual inspection reports. The verdict: The winning algorithm could improve inspectors’ ability to find violations by 30 percent to 50 percent.75
Yet another form of risk-based regulation could lower the high entry cost of regulatory certification. Daniel Castro of the Center for Data Innovation suggests moving to a “cloud computing model of regulation,” in which scalability is built into the regulatory model. For instance, if a company’s product or service were targeted toward only a few users, it might receive fewer checks since its potential adverse impact would be limited. Only after that company grew and began selling its products more widely would it encounter a more thorough investigation.76
For certain digital health products, the FDA already uses risk-based approaches that balance potential risks with patient benefits.
As part of its Digital Health Innovation Action Plan, the FDA created a Pre-Cert pilot program for eligible digital health developers that demonstrate a culture of quality and organizational excellence based on objective criteria—for example, excelling in software design, development, and testing. The pilot intends to look “first at the software developer or digital health technology developer, not the product.”77
The idea behind this is to allow the FDA to accelerate time to market for lower-risk health products and focus its resources on those posing greater potential risks to patients. Precertified developers could market lower-risk devices without additional FDA review, or with a simpler premarket review.
But precertification is just one part of the model; the FDA intends to monitor the performance of these companies continuously, with real-world data. Scorecards and corresponding Pre-Cert levels could go up or down based on performance and effectiveness data. If scores fall below a defined threshold, the organization might lose certain benefits, such as expedited reviews for less-risky products or eligibility for Pre-Cert status until it can resolve any product issues through a new assessment.78
Align regulation nationally and internationally by engaging a broader set of players across the ecosystem
A recent global survey of more than 250 experts and leaders of financial institutions indicated that regulatory divergence—inconsistent regulations across different nations—costs financial institutions from 5 percent to 10 percent of their annual revenue. The patchwork of international financial regulations costs the global economy $780 billion annually.79
As the digital economy expands, with new business models, technologies, products, and services, regulators around the world can benefit from collaborative approaches such as co-regulation, self-regulation, and international coordination. Through multi-stakeholder meetings that produce concrete policy guidance and voluntary standards, regulators and firms as well as other interested parties can be engaged in the process.
This ecosystem approach—when multiple regulators from different nations collaborate with one other and with those being regulated—can encourage innovation while protecting consumers from potential fraud or safety concerns. In this approach, private, standard-setting bodies and self-regulatory organizations also have key roles to play in facilitating collaboration between innovators and regulators.
The fintech space has shown glimpses of regulatory convergence (see figure 6). For example, Singapore has signed 16 agreements with entities in 15 different countries. These agreements include information exchanges with other nations’ regulators and regulated businesses, referrals of firms attempting to enter a regulatory partner’s nation, and guidance for companies on the regulations of nations they wish to enter.80 Such agreements could lead to standard frameworks and guidelines across nations.
Global and regional institutions can play a key role in facilitating these cross-border agreements. The Asia-Pacific Economic Cooperation, for example, enables cross-border data flow among its members through a set of principles and guidelines designed to establish cross-border privacy protections while avoiding barriers to information flows. Businesses agree to follow the privacy rules; independent entities monitor and hold the companies accountable for privacy breaches.81
In certain instances, regulators can benefit from working directly with businesses, innovators, and other players to define rules for emerging technologies. For example, the internet’s decentralized, global structure defied regulatory logic and demanded a new framework to address its revolutionary nature.
In 1997, after considering various regulatory approaches to internet governance, the Clinton Administration released a set of principles called The framework for global electronic commerce to guide the development of digital communications technologies. The framework outlined a number of general principles to guide the government’s treatment of cyberspace and forestall aggressive regulatory action. Among these:
Taken together, these principles establish a de facto regulatory structure that sidesteps the traditional process for promulgating new rules in favor of a system of co-regulation and multi-stakeholder engagements. Such systems can help induce constructive dialogue among various stakeholders who might otherwise be less amenable to compromise.
For technological innovation, regulation can be catalytic—or a hindrance. As emerging technologies evolve, regulators from around the world are rethinking their approaches, adopting models that are agile, iterative, and collaborative to face the challenges posed by emerging technologies and the fourth Industrial Revolution. To promote innovation, regulators are also moving toward creating outcome-based regulations and testing new models in sandboxes. The principles outlined in this paper can help regulators balance consumer protection and innovation effectively. This is the first study in our series on the future of regulation. Look for our additional papers in the months and years ahead.