The regulator of tomorrow Rulemaking and enforcement in an era of exponential change

Regulators and regulations play a critical role in society—but one that may need to evolve to remain relevant and effective in the face of technology-induced change.

Navigating change

Regulations exist to protect citizens and businesses, correct market failures, and make many aspects of our lives easier. They can help give us lower prices due to increased competition, greater peace of mind in saving and borrowing, increased safety in our journey to work, and confidence in the lunch we buy from a local deli.

In recent years, the persistence and scale of technology-induced change have led many to doubt the value and practicality of government regulation. Although this discussion continues, regulators and the regulations they create and enforce still play a critical role—but one that may need to evolve to remain relevant and effective.

In this paper, we examine the challenges that regulators face in our rapidly changing world—from keeping up with technical and business model innovations and the growth in the number of suppliers of goods and services, to dealing with the increasingly digital nature of their constituents and the changing attitudes and behaviors of industries and consumers. We then identify opportunities for leaders of regulatory agencies to navigate today’s challenging landscape and prepare for the future—both in the way they make rules and the way they enforce them. In many ways, regulators can harness the very trends that have caused disruption and use them as a means to modernize regulatory practices and increase effectiveness.

It's tough to be a regulator today

Regulators are on the front lines of nearly every controversy resulting from a new technology—either being told to get out of the way or being called upon for solutions when incidents arise. Data breaches, 3D-printed guns, clashes between taxis and ridesharing services, and many other events that make news headlines also pose real challenges to regulators. In a fast-moving and increasingly complex world, regulators are finding it harder and harder to balance the need to protect citizens and fair markets with the need to avoid impeding innovation.


We see five general trends that are driving this tug-of-war between protection and innovation:

The exponential pace of technological change.1 New technologies that used to have two-year cycle times now can become obsolete in six months, and the pace of change is not slowing. Moore’s Law posits that computer processing power will double every two years, and this exponential rate of increase has also been shown to hold true in industries beyond computing.2 When combined with software that is “eating the world,”3 new technologies can be developed, deployed, and iterated faster than ever. This presents a unique timing challenge for regulatory agencies: Regulate too early and you risk stymieing innovators; wait too long and you risk losing the opportunity to regulate a technology or service before it becomes widespread, potentially harming consumers or markets in the interim. An example of how this trend plays out is the Internet of Things (IoT)—the network of sensor-enabled Internet-connected devices ranging from cars to sneakers to thermostats. A handful of years ago, the microchips needed to enable data collection and wireless communication were cost-prohibitive. Now, these microchips are more cost-effective and are commonly used in connected devices—which presents a privacy challenge for regulators.4 Protecting one’s privacy was previously fairly straightforward: Close the blinds at home, secure documents with personally identifiable information (PII), and be mindful of public conversations. Today, however, an individual might be generating and transmitting data from multiple devices to multiple companies. Each new device in the age of the IoT presents significant challenges to a regulator’s ability to keep citizens’ data secure.

The emergence of new business models.5 By now, most people have heard of the “sharing economy”—an economic system, enabled by communications technologies such as mobile and the Internet, that is built around the sharing of human and physical resources. From a regulator’s perspective, the sharing economy’s peer-to-peer marketplaces disrupt traditional economic transactions. Citizens are able to share cars (through services like Uber and Lyft), residences (through platforms like Airbnb), and even their own kitchens (through mechanisms like EatWith) with their peers. While this provides new job and income opportunities, it creates potential risks to public health and safety. For example, if someone chooses to rideshare to work, is the driver liable if his or her passenger is hurt in an accident? The sharing economy is just one recent example of technologies disrupting traditional business models, and there may be more disruptions ahead as entrepreneurs find new ways of meeting consumers’ needs.

Shrinking barriers to entry for suppliers and buyers.6 Technology has reduced barriers to entry for many aspiring entrepreneurs. Online retail portals let people sell goods without expensive physical retail spaces. 3D printers could further make it easier to sell goods and services by allowing people to create bespoke manufacturing companies. In parallel, many products and services that used to be accessible to only a few are now accessible to the mass market due to advances in technology that have radically reduced these products and services’ cost and democratized access. Take genomic mapping, for example. Sequencing the first ever human genome in 2001 cost $100 million. Now, there are services on the market that can sequence and analyze portions of an individual’s DNA for a small fraction of that amount. This changing landscape presents real challenges for regulators: Not only is the number of services and products they regulate growing, but so is the number of suppliers and consumers.

The “ignore until large” phenomenon. The arguments between startup companies and the established industries they are competing with are ultimately landing at the doors of regulators. The fact that disagreements often escalate illustrates what can be called the “ignore until large” phenomenon, which is an issue for both regulatory organizations and startups. Some startups make a conscious choice to avoid engaging with regulators until they are large enough to have clout, derived either from their growing consumer base and loyalty or from their business success. On the regulators’ side, given how hard it is to monitor the vast number of new startups and market entrants, it is tempting to wait to engage with startups until they are shown to be viable in the market. The problem is that “large” can happen very quickly, and a regulator may not have the luxury of waiting and seeing what happens. Consider Airbnb: In 2008, when Airbnb first started, it seemed like a niche community of people willing to rent a room or to strangers. Fast-forward to today: To date, Airbnb has booked over 30 million nights and is valued at $20 billion.7

The rise of business ecosystems.8 Business ecosystems have been described as “dynamic and co-evolving communities of diverse actors who create and capture new value through both collaboration and competition.”9 These tightly integrated networks of organizations are a shift from the siloed and self-contained corporations of the past. A central aspect of this transition to dynamic and collaborative networks is that firms can begin to “deploy and activate assets they neither own nor control” and engage larger numbers of ecosystem participants.10 Apple® provides an example of how ecosystems can be created. With the announcement of its App StoreSM, Apple provided a platform and user base to app developers while simultaneously benefiting from those same developers’ innovative ideas, investments, and feedback to help make Apple’s own products and services more compelling for consumers.*

Disruptive trends are making it difficult for regulators to achieve their missions. But what if this changing business landscape presented opportunities to help regulators overcome the challenges they face? In the balance of this report, we explore the potential for regulators to embrace the opportunities presented by technical and business model innovation, the increasingly digital nature of their constituents, and industries’ and consumers’ changing attitudes and behaviors to help them meet key challenges across their two main functions: rulemaking (part one) and oversight and enforcement (part two).

* Apple and the App Store are trademarks of Apple Inc., registered in the United States and other countries. The current publication is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple Inc.

Part one: Rulemaking

Regulators are often the agencies responsible for implementing policy mandates. These mandates can vary from being highly prescriptive to giving regulators great freedom to determine how to implement a policy. In some cases, regulatory agencies have been granted authority by Congress to monitor entire industries, with discretion as to determining how to protect citizens and fair markets.

The business of rulemaking is governed by its own laws and regulations, from the Administrative Procedures Act to approvals of proposed rules by the Office of Management and Budget. All of these processes are designed as a safeguard to protect our citizens while not unduly burdening the regulated businesses or entities.

The process of formal and informal rulemaking is well defined,11 incorporates input from citizens and industry, and can take time. Given the challenges previously described, it becomes essential for regulators to think creatively about their rulemaking activities to meet their policy objectives. In this section, we explore several rulemaking opportunities for the regulator of tomorrow:

  • Rethinking outreach
  • Sensing
  • Guidelines and statements versus regulations
  • Tomorrow’s talent
  • Consultation 2.0

Opportunity: Rethinking outreach

“I know no safe depository of the ultimate powers of the society but the people themselves; and if we think them not enlightened enough to exercise their control with a wholesome discretion, the remedy is not to take it from them, but to inform their discretion by education. This is the true corrective of abuses of constitutional power.” —Thomas Jefferson12

In an era of rapid change, trying to identify every possible risk to citizens and markets and then create rules to mitigate them is a tough and probably impossible task. However, regulators can work directly with citizens to cut the time lag between when a new service or product causes harm to a consumer and when a regulator finds out about that harm so that it can inform the evolution of rules and guidance if appropriate. Educational materials, discussions, and question-and-answer sessions can help increase citizen awareness and help them make more educated decisions.

Digital technologies help make outreach at the national level more feasible. Citizens are becoming increasingly digital, with mobile broadband subscriptions expected to grow from nearly 1 billion in 2011 to over 5 billion globally in 2016.13 Online platforms can give regulators a mechanism for capturing citizen and market concerns and points of view at scale.

Rethinking outreach: Consumer Financial Protection Bureau 

The Consumer Financial Protection Bureau (CFPB), an independent agency of the United States government responsible for consumer protection in the financial sector, was seeking to enhance its citizen outreach efforts. At the same time, cities across the United States were adopting 311 systems to lessen the burden of non-emergency 911 calls and connect citizens quickly with public services.14 Seeing the potential of these existing platforms to connect consumers to government, CFPB partnered with several US cities’ 311 systems to allow calls regarding financial concerns from their citizens to be routed directly to CFBP. These calls covered issues people were having with financial products and services such as mortgages, credit cards, and debt collectors.15

CFPB Director Richard Cordray described the benefits of the 311 systems as “a great win-win. Consumers can reach the CFPB more directly. Cities can potentially lighten their loads and refer their residents to the experts.”16 The 311 systems allow citizens to engage directly with regulators in an effort to have their concerns addressed in a transparent, timely manner. It’s also an opportunity for CFPB to collect information on the financial challenges citizens face, potentially helping CFPB to make more informed, targeted policies.

What to consider

  • Connect early and often. Utilizing online platforms can connect regulators with citizens in a timely way. This allows for open dialogue on policies and practices, informing both the consumers and regulators.

  • Think beyond the town hall. New York Department of Financial Services superintendent Benjamin Lawsky found a way to engage with citizens on recent Bitcoin regulation. He participated in a Reddit “Ask me anything” session, opening up a dialogue with hundreds of citizens on pending regulation.17 By using the Reddit platform to engage with citizens, Lawksy was able to address issues for the Bitcoin community, and CoinDesk reported that his session “provided more evidence to suggest that he intends to craft legislation that strikes a balance between the needs of law enforcement and Bitcoin entrepreneurs.”18

  • Make sure you have the capacity to meet demand. In the spring of 2014, the Federal Communications Commission (FCC), an independent agency created to regulate communications by radio, television, wire, satellite, and cable, sought to consult citizens on proposed changes to rules impacting net neutrality.19 In response to this request for comments, the public submitted a record 3.7 million comments through the FCC’s online comment system.20 The influx of comments on the proposed regulation crashed the system.21 This example offers a number of lessons (discussed later), but on the topic of general outreach, it is important to note that—although most public consultations are not likely to result in such a huge response rate—we live in an era where increased connectivity and relatively costless engagement can result in issues “going viral” in a short period of time. Regulators need contingency plans to meet sudden upswings in demand.

Opportunity: Sensing the disruption around the corner

“I don’t pretend we have all the answers. But the questions are certainly worth thinking about.” —Arthur C. Clarke22

Innovative technologies and new business models can catch regulators off guard, especially when those technologies and business models scale quickly. Without a means to sense the next big thing, regulators risk being perpetually behind, missing opportunities for early engagement with service and product providers as well as early consultation with consumers.

This is why it may make sense for regulators to invest time and resources in monitoring the emerging trends around them. Understanding the disruptions that might be around the corner gives regulators an opportunity to gauge the potential impacts of these trends on their mission. One way to do this is to establish a sensing capability. Sensing is the process of identifying potential developments that could impact a business, either as an opportunity or as a threat. For regulatory agencies, a sensing capability could help identify the next innovation or development in a regulator’s industry or field. Understanding what the horizon looks like can help agencies figure out where to allocate resources.

Sensing disruption: IARPA FUSE 

Making sense of the ever-changing technology landscape is daunting, but technology itself may provide some potential answers in the form of useful new tools. Although there are few examples of sensing being used in the US regulatory arena, regulators should look to agencies in the national security and intelligence sector to see how sensing can be applied.

Organizations such as the Intelligence Advanced Research Projects Activity (IARPA), a research agency under the Director of National Intelligence’s responsibility, have been trying to predict and understand the opportunities and threats around them. IARPA’s Foresight and Understanding from Scientific Exposition (FUSE) Program is focused on developing “automated methods that aid in the systematic, continuous, and comprehensive assessment of technical emergence.”23 In short, FUSE aims to help intelligence analysts understand where the newest technologies and innovations can be expected.

For a regulatory agency, similar tools could be employed to scan their domains and identify the latest developments, either innovations or startups. Regulators can then analyze these for their potential risks and benefits to consumers or markets, helping them to be more proactive in identifying and engaging with technologies. For a regulatory agency, incorporating sensing into how it achieves its mission could help prevent things from “passing them by.”

What to consider

  • Understand the emerging technologies. Simply identifying potential “next big thing” innovations in your industry is not sufficient; agencies need to understand the potential regulatory implications of those innovations. Identifying innovations early may provide time to consider regulatory implications and options and begin outreach. For example, the US National Highway Traffic Safety Administration (NHTSA) released its first policy on autonomous vehicles in May 2013,24 before they were expected to become mainstream.25

  • Build networks. Technologies can cut across regulators’ areas of responsibility. Networks are important for trying to stay on top of technologies with potential second- and third-order impacts. Instead of trying to go it alone, NHTSA engaged with other US Department of Transportation (DOT) agencies and car manufacturers to conduct driver clinics to research how vehicle-to-vehicle communication systems function with human drivers at the wheel.26

Opportunity: Guidelines and statements versus regulations

Trying to come up with rules that keep consumers safe while keeping pace with new technologies can feel like playing regulatory whack-a-mole. Health apps are a good example. A 2013 IMSHealth report found “tens of thousands of health, wellness, and medical apps” available for download from major app stores.27

These apps run the gamut from managing weight loss to tracking glucose levels for diabetes patients. Some apps are seemingly innocuous, allowing users to track their exercise or calorie intake. Others have the potential to cause harm, particularly if users replace doctor supervision with feedback from the app. The Food and Drug Administration (FDA), recognizing this possibility, released guidance documents in 2013 and 2015 outlining its approach to identifying the types of mobile medical apps it intends to regulate and to provide “clarity and predictability” for health app makers.28

Some forward-thinking regulators have navigated similar challenges by providing industry innovators with a clear set of guidelines for developing new offerings. In other cases, industry entities have come up with their own set of standards and principles, which could be adopted by a regulator as the base standard.

Guidelines versus regulations: Federal Trade Commission

The Federal Trade Commission (FTC) is responsible for keeping consumers safe, particularly when it comes to privacy. The now-ubiquitous mobile phone has become much more than a traditional phone, and is used in countless daily activities from depositing money in a checking account and hailing a car to work, to tracking individual health data, which has given rise to a multitude of consumer privacy concerns. The FTC agency’s response to the challenging ecosystem of mobile apps may suggest a path forward for other regulators.

Instead of trying to be prescriptive on what apps can and cannot do, the agency recognized that “every app is different” and came up with a set of guidelines. These guidelines provide guidance for both consumers and developers, encouraging app developers to educate themselves early instead of risking non-compliance later.29

The FTC report provides a set of guidelines, including:

—Have a privacy policy and make it easily accessible through the online app stores

—Provide “just-in-time” disclosures and obtain express consent before collecting and sharing sensitive information

—Consider participation in self-regulatory programs, trade associations, and industry organizations that can provide guidance on how to make uniform, short-form privacy disclosures30

The FTC recognized that being overly prescriptive in regulating mobile apps would likely result in quickly outdated regulation and instead stated that “as the mobile landscape evolves, the FTC will continue to closely monitor developments in this space and consider additional ways it can help businesses effectively provide privacy information to consumers.”31

What to consider

  • Advise through guidelines. Guidelines can help both citizens and innovators navigate a rapidly changing technology environment. The FDA’s draft guidance on wearables contains the agency’s proposed guidelines, examples of different scenarios and how they would be evaluated, and the algorithm the agency would use to evaluate devices.32 Innovators working on health wearables could use this document to determine whether they want to proceed with getting FDA approval for their device.

  • Focus on the general now, specifics later. The combination of guidelines and close monitoring of evolving technologies may lead to more tailored regulation down the road. In the FDA example above, the agency can use the guidelines it publishes on wearables as a starting point, should additional regulation be necessary.

  • Give the market and consumers a “heads up.” In addition to publishing guidelines, which do not have the force of a rule but give the regulated a framework of thinking to work within, agencies like the SEC issue statements approved by the Commissioners that provide the public with the agency’s latest thinking on an emerging issue. Both guidelines and statements provide a context for market participants.  If companies are heading in a direction (like making a major investment in a new way of doing business) where it is unclear whether the company’s actions would fall inside or outside the guidelines or the statement, many regulators have a pre-clearance mechanism to allow people to consult with the agency. That gives a company “cover” ahead of any regulation.

Opportunity: Tomorrow’s talent

Attracting and retaining young talent has long been a challenge for federal agencies. The year 2013 marked a low point, with only 7 percent of federal employees under the age of 3033 while the private-sector workforce had nearly 25 percent under 30.34 Looming Baby Boomer retirements, coupled with chronically low numbers of young workers, put federal agencies at risk of becoming digitally deficient.35

Regulators should consider how they can attract younger talent—or potentially risk being deficient in the skills they need to interpret new challenges and create effective solutions. This is a big question for the Internal Revenue Service (IRS), for example, with over half of its employees over 50 years and only 3 percent of its workforce under 30.36 Research shows that Millennials are motivated by organizations with missions that provide public good,37 creating an opportunity for the IRS and other agencies to rethink their marketing. The IRS website features the slogan “Count on me” and markets directly to recent graduates.38

Some agencies have had better luck attracting young talent into public service. With the establishment of CFPB came resumes from young lawyers inspired by the new agency’s mission. Elizabeth Warren, CFPB’s architect, also influenced her connections from Harvard Law School to take up the cause.39 Perhaps the opportunity to shape a new organization with a mission to prevent financial crises like the one that crippled the job market for many, attracted talent that might have otherwise dismissed a federal job.

Beyond diversifying the average age makeup of regulatory agencies, it is important for regulators to identify which skills will be critical to their mission’s success and recruit to these skills, which are arguably different than their workforce today.

Tomorrow’s talent: White House Innovation Fellows 

The federal government generally cannot offer the same salaries or bonuses as some private companies, but it can offer a motivated, young workforce the opportunity to work on some of the nation’s most complex challenges. Expanding rotations, internships, and other nontraditional career paths could attract younger employees and give them exposure to a federal career that they may have otherwise ignored.

In 2012, President Barack Obama established a 12-month fellowship program to attract innovators across industries to tackle complex issues at the intersection of technology and policy.40 Fellows come from a diverse background and are, as program director Garren Givens describes, “folks with technical acumen but [who] also are looking for ways to hack policy and bureaucracy, and break down initiatives into things that are doable today.”41

The Innovation Fellows are using technology to address some of America’s most complex challenges, grouped into open data, platform, and crowdsourcing innovation projects.42 A few examples include:

—Lantern Live: In this crowdsourcing initiative, a fellow partners with the Department of Energy to build a mobile app providing helpful information and assistance during a disaster. The app provides consumers timely disaster preparedness tips, allows them to both report and access information on power outages, and helps them to find fuel and report the status of gas stations.43

—GI Bill® Comparison Tool: In this platform innovation project, several fellows worked with the Department of Veterans Affairs (VA) to launch an online GI Bill Comparison Tool. The tool helps veterans, service members, and dependents calculate their post-9/11 GI Bill benefits and learn about VA’s approved colleges, universities, and available education and training programs across the country.44

Although still a nascent program, close to half of the 60 former fellows chose to stay on with the government, many in a new program in the General Services Administration that focuses on digital initiatives.45 Expanding fellowship opportunities or rotational programs could be a promising way to attract and retain top talent, infusing the federal workforce with technical acumen and fresh ideas to tackle government challenges.

What to consider

  • Consider alternative hiring channels. It takes an average of 105 days to be hired into a federal position,46 a waiting period that could deter many prospective candidates. As seen with the White House Innovation Fellowship, temporary job opportunities like internships or fellowships can help the government with creative problem solving, as well as entice top talent to stay in a federal job. The Commerce Department’s Economic Development Administration (EDA) is thinking about how to bring in entrepreneurs and talent comfortable with taking risks.47 The director is considering implementing a two-year fellowship to support her talent strategy, and could bring in fellows with ideas to improve the EDA’s collaboration with entrepreneurs and small businesses.

  • Build relationships with relevant industries. The Pentagon recently started a new venture-capital-style program to engage with Silicon Valley startups and use their expertise to address national security challenges.48 The program aims to solicit ideas from entrepreneurs to address issues like cybersecurity, something that has become a growing concern. “We do not live in a time where all of the technology, which is of importance for national security will come from the Pentagon. Those times are over,” said Secretary of Defense Dr. Ashton Carter.49 Regulators could benefit from increased partnership with the private sector to crowdsource solutions to complex issues and leverage ideas from industry in the context of solving national crises.

Opportunity: Consultation 2.0

“A variety of studies since the years of public opinion research have demonstrated that people are quite willing express opinions on fictitious objects and events.” —George Bishop, et al.50

Consultation can help the process of rulemaking and lead to better outcomes. It can be used to solicit expert perspectives from both neutral and interested parties to improve regulations, policies, and guidelines so that they are clearer and most likely to lead to the intended results. In cases where there is a real choice to be made between one policy and another, it can also help regulators gain an accurate and balanced appreciation of the citizens’ views.

A formal “notice and comment” process can take up to a year. It commonly involves the preparation of a document and publication in the Federal Register (a daily publication for rules, proposed rules, and notices of the Federal Government) for, say, a 90-day comment period followed by careful analysis of comments. This process can be invaluable in securing insightful perspectives from expert and interested parties to improve the drafting of a proposed rule.  However, while the process can be effective for technical input, it is not always the best way to understand the views of citizens. Studies have shown that people express a view even on things they don’t know anything about. For example, in 1986, political scientist Dr. George Bishop and his team asked a sample of Americans for their views on a fictional “Public Affairs Act of 1975” and other similarly fictitious or unknown legislation. They found that 20–40 percent of Americans offered opinions on laws they have never heard of.51

While comment periods can be effective at eliciting input from technical experts and lobby groups, they can also fall prey to highly mobilized campaigns or interest groups dominating the consultation process to further self-interests, promote personal agendas, or to gain notoriety. In spring 2014, the FCC solicited comments on proposed changes to rules impacting net neutrality and received a steady trickle of valuable and expert views from industry organizations, consumer bodies, and academics over its first month. This all changed in early June when John Oliver, a TV comedian, aired a 13-minute sketch on the issue on his late-night news comedy show and encouraged Internet commenters to “Seize your moments, my lovely trolls, turn on caps lock and fly, my pretties, fly.”52 The resulting barrage of comments overwhelmed FCC systems. On the one hand, Oliver’s segment brought national attention to a choice that the FCC needed to make but had hitherto been seen as a highly technical, potentially dry issue that many citizens might typically pass over. On the other, it failed to provide the FCC with a true appreciation of the balanced views of an informed citizenry.

Fortunately, there are other ways that regulators can collect and interpret comments to gain an appreciation of citizens’ views, which can be deployed alongside the notice and comment process.

Consultation 2.0: Deliberative Society 

The traditional comment or survey processes are vulnerable to ill-informed views and highly mobilized groups with self-interests.

The Center for Deliberative Democracy (CDD) at Stanford University has developed a five-step approach to facilitate the deliberative democratic process, called Deliberative Polling®, which seeks to overcome both of these shortcomings.53 The process “combines deliberation in small group discussions (so participants are informed) with scientific random sampling (to reflect a population and reduce the influence of vested interests) to provide public consultation for public policy and for electoral issues.”54

Deliberative Polling examines the opinion changes through “before-and-after” questionnaires and small group deliberation in order to gauge how people adjust their perspectives after becoming more informed about policy options. The CDD has tested Deliberative Polling as a face-to-face and online policymaking experiment in the United States, European Union, and China. For example, Deliberative Polling enabled residents of Zeguo Township, Wenling City, in the Chinese province of Zhejiang to impact the budgetary decisions of their local government. In March 2005, residents were asked to consider 30 options for infrastructure projects to fund in the coming year.55 The results from the Deliberative Poll were widely accepted by the Zeguo residents, and the process was replicated in subsequent years to decide similar issues. Meanwhile, a nearby town’s leadership did not consult the residents before deciding to give land to chemical plants, and the villagers blocked roads in protest of the policy decision.56

What to consider

  • Take a more strategic approach to soliciting citizen comments. Tools like Deliberative Polling help engage citizens and solicit informed feedback. Zeguo Township, in the case study above, recognized that investment decisions for public infrastructure projects might have been a good opportunity to engage citizens in a key government decision-making process. Another option is to combine direct citizen engagement with open convenings of subject matter experts from academics to practitioners. Interactive dialogue between citizens, rulemakers, and experts could provide a more complete view of the potential benefits and impacts of proposed rules.

  • Increase transparency. Identifying ways to discuss comments in open forums instead of only within an agency could help shape better policies., a website managed by the eRulemaking Program Management Office at the US Environmental Protection Agency (EPA), provides citizens with the ability to comment on draft regulations similar to how one would comment on a blog post.57 Once an agency has processed a submitted comment, users of can see that comment and, once a regulation has been finalized, see how the agency responded to the comments it received during the rulemaking process.

Opportunity: Collaborative regulation

Innovations that cut across regulatory areas of responsibility are yet another challenge facing regulators. Even if the legally responsible agency is the most logical choice to regulate a new innovation or technology, it may not have all the expertise or perspectives needed to develop the most effective rules.

Regulators can consider two potential models to address complex technologies. One option is to use a “lead agency” model. This approach has one regulatory agency running point for the entire process with supporting agencies functioning as advisors. The lead agency would be responsible for synthesizing all the input to develop its rules. Alternatively, agencies could adopt a “partnership” model. This approach has multiple agencies collaborating to develop rules amenable to them and their constituents. Regardless of which approach an agency chooses, collaboration is a key component of regulating innovations that cut across agency areas of responsibility.

Collaborative regulation: Drones and the FAA 

In 2012, Congress tasked the Federal Aviation Agency (FAA), an organization whose mission is to “provide the safest, most efficient aerospace system in the world,” with developing a strategy to integrate drones into US airspace by September 2015.58 The potential for drone use in the civilian space is enormous, with some estimates placing the commercial and non-military market at more than $80 billion by 2025.59 Drones could be used for a number of applications, including wedding photography, bridge inspection, pizza delivery chains, and emergency response. The number of potential applications for drones led the FAA to predict that more than 30,000 drones will be added to US airspace by the end of the decade.60 To put things into perspective, there are currently only 7,000 aircraft over the United States at any given time.61

The FAA published its draft rules in February 2015.62 The challenge the agency faced in the process of developing the draft rules was related to the myriad of applications listed above—drones transcend the traditional silos of regulator responsibility. For example, while the FAA is concerned about maintaining the safety of American airspace, the United States Department of Agriculture (USDA) may have a compelling application for farmers, or a local police force may want to use drones to identify drug production facilities, potentially requiring discussions on citizen privacy and civil liberties. In these cases, the expertise needed to create effective and impactful rules likely resides outside of the FAA.

While the reaction to the FAA’s draft rules was generally positive, the rules are likely to evolve as they cover a rapidly evolving industry.63 Going forward, the FAA could consider applying a lead agency model approach for drone regulation. This approach would respect the FAA’s mission to provide a safe national airspace and legal mandate to regulate drones, yet also engage stakeholders with different areas of expertise from business, academia, civil society, and other government organizations. These working groups could develop recommendations for regulations governing specific use cases for drones. Alternatively, the FAA may choose a partnership model. In this case, the FAA could partner with specific agencies to develop regulations for a specific drone use case—for example, partnering with the USDA for potential applications of drones in agriculture or with the Department of Justice (DOJ) to develop rules for potential law enforcement applications.

What to consider

  • Identify your allies. What are other agencies working on? Do any of them have areas of insight, expertise, or responsibility that it makes sense to engage? Who is looking at overseeing the same industry? For example, one might expect the Bureau of Alcohol, Tobacco, Firearms, and Explosives (BATFE) to be the agency responsible for taking instructions for how to 3D print a gun offline. In the case of Defense Distributed’s Liberator, according to the New York Times, it was actually the State Department’s Directorate of Defense Trade Controls that requested the instructions be taken down.64There are agencies throughout the government who might be working on similar challenges, with different legal authority and perspectives that could be brought to bear on a particular challenge.

  • Determine how to engage other agencies. Should rules be developed collaboratively or should other agencies’ experts serve as advisors or consultants during the rulemaking process? Robotics is an emerging technology that may require extensive collaboration between regulatory agencies. Ryan Calo, a law professor at the University of Washington, has proposed the establishment of a Federal Robotics Commission, an agency that would serve to coordinate robotics regulation efforts at all levels of government—advising policy makers when needed and helping connect regulators working on rulemaking and oversight of the robotics industry.65 While establishing a new agency for every new technology may not be a viable approach, Calo shows that there have been different models of collaboration between regulators in the past when dealing with emerging issues.66

Part two: Oversight and enforcement

In addition to rulemaking, regulators oversee compliance with the published rules, taking enforcement action when violations occur. Today’s regulators have access to significant amounts of data. Larger data sets combined with increasingly sophisticated analytical tools and the power of the crowd can help regulators better utilize limited resources and reduce the burden of compliance on citizens and business.

This section will explore several oversight and enforcement opportunities for the regulator of tomorrow:

  • Correlate to predict
  • Citizen as regulator
  • Open data
  • Collaborative regulating
  • Retrospective review

Opportunity: Correlate to predict

Regulatory inspection is a time-consuming and costly process, and it is prohibitively expensive to monitor everyone. Regulators conduct random inspections, which risks allocating resources disproportionately to non-violators and potentially lets violators make a calculated cost-benefit analysis of the chance of being inspected and determine that any burden of compliance outweighs the potential risks of not complying.

The application of data analytics, however, could improve the return on investment on regulators’ limited investigation resources. Increasing amounts of computing power and cheap storage make it easier than ever to combine and analyze large data sets to identify correlations that indicate potential violations and violators. Regulators may also be able to use data from other government agencies to augment the data they collect from the industry they regulate. Tapping additional data sources can provide new data correlations to identify the warning signs of potential violators. Once potential violators are identified, inspection and enforcement resources can be targeted toward them.

Correlate to predict: FDNY risk-based inspections 

Every day, the New York City Fire Department (FDNY) goes out to investigate buildings for fire risk. As one would imagine in a city as large as New York, the FDNY, in a year, can only investigate a fraction of the total number of buildings it is responsible for—some 50,000 out of an overall population of 300,000 buildings.67

In the last few years, FDNY has built a system called FireCast to help identify the most at-risk buildings. It uses data gathered by the FDNY during inspections—information like occupancy class and number of building sprinklers—and, more crucially, data from New York’s city planning, buildings, environmental protection, and finance departments using the Mayor’s Office of Data Analytics DataBridge infrastructure.68 This combined data set enables the FDNY to run algorithms and analytics to identify and prioritize building inspections.

The FDNY continues to iterate on the data set to increase the likelihood of each inspection identifying actual fire risks over time. Since its launch in 2013, the system has shown signs of success. Fire department officials report that it eases workloads and directs inspectors to some of the city’s most fire-prone buildings, some of which haven’t been inspected in years.69

What to consider

  • Continue upping your data IQ. The skills needed to successfully analyze large and complex data sets should be nurtured to increase an organization’s data IQ. Demonstrating just how important data are for government operations, in early 2015 the Obama administration created the position of US chief data scientist and appointed Dr. DJ Patil to the role.70 Dr. Patil’s goals include providing a “vision on how to provide maximum social return on federal data,” establishing best practices around data management, and increasing collaboration between the public, private, and academic sectors.71

  • Experiment and explore. Not all data will correlate and not all data will end up being relevant, so test a number of hypotheses and models. FDNY’s FireCast is up to version 3.0 as of this writing, with each new version incorporating advances, lessons learned, and insights from prior versions.72

  • Determine data gaps. Evaluate current data sets to identify gaps. Keep in mind that not all data are equally shareable and there may be restrictions on which data can be combined. Project Open Data Dashboard by the US General Services Administration’s team tracks the performance of CFO Act Agencies against the White House’s Open Data Policy.73 This tool provides citizens, civil servants, and policy makers with insights into where there are data gaps and also enables agencies to be recognized for their efforts.

Opportunity: Citizen as regulator

In an era of budgetary constraints and limited resources, regulators may find it difficult to collect all the data they need. However, regulators have a valuable new data source to tap into—data from citizens.

Crowdsourcing data from citizens can occur in two different ways:

  • Active data gathering: Sources that require a user to engage with a regulator on a one-time or continuous basis, such as setting up a sensor network or downloading an app
  • Passive data gathering: Sources that do not require a citizen to interact directly with the regulator; these may include review and ratings sites and social media

For either approach, consider ways to gain access to the data. Gaining access may require negotiation and transparency with the appropriate stakeholders—such as companies that possess the data and citizen interest groups—around how the data will be used. Tapping into these data can provide a more granular level of insight into what citizens and consumers on the ground are experiencing, to better focus limited monitoring and enforcement resources.

Citizen as regulator: Federal Communications Commission Speed Test App

In 2012 the FCC expanded the scope of its Measuring Broadband America program to include mobile broadband performance. The FCC wanted to use the collected data to “inform consumers, industry and policymakers with the goal of improving mobile broadband performance nationwide.”74 To get the data, the FCC created an app.

The FCC Speed Test App allowed users to measure their mobile broadband performance and anonymously provide these data to the agency. The alternative to crowdsourcing these data would likely have been an extensive survey, which may have provided only a point-in-time snapshot of mobile broadband performance and may have required input from mobile phone companies to gain a complete understanding of the network. Instead, through its app, the FCC receives a continuous feed of anonymized mobile broadband performance data, enabling a holistic and near-real-time view of the state of mobile broadband across America.

In the words of the FCC’s CIO, Dr. David Bray, the FCC Speed Test App represented a “10x return” on an initial investment of $150,000 and showed that the “public is hungry for things to do that were previously the role of government.”75

What to consider

  • Data availability. A key first step is identifying the necessary data. For example, the New York City Department of Health and Mental Hygiene wanted to track food-borne illnesses. The agency used Yelp data to identify three previously unknown food-borne illness outbreaks, clustered around three different restaurants. When health inspectors visited these restaurants they found numerous health code violations.76

  • Verification. Before taking any action on data it is important to verify that they are trustworthy. This may involve doing due diligence on the source or requiring a threshold of complaints. Crowdsourced data may be a strong indicator and can help regulators be targeted in investigations, but will need supporting evidence to identify a violation. In some cases, a trend or statistically significant indicator emerges only in a large enough data set. One of the ways the National Oceanic and Atmospheric Administration refines its weather models is through the use of an app, called mPING (Meteorological Phenomena Identification Near the Ground).77 This app lets users provide observations about the weather around them, anonymously and as frequently as every 30 seconds.78 With a large enough sample size, “crowdsourcing consistency essentially defines the first level QC [Quality Control] process.”79

  • Privacy and data security. It is important to have clear expectations around user privacy, anonymity, and data usage. In some instances, associating specific bits of data to a user is necessary—for example, in a tool that allows consumers to submit complaints directly to an agency, or the FCC Speed Test App, where no personal data are needed and user anonymity makes sense.

Opportunity: Open data

“Information wants to be free.” —Steward Brand80

Sometimes the expertise and insights that can help you glean the most important findings from your data exist outside your organization. One potential solution to this problem is to open-source the data, making them available to interested citizens, companies, and non-profits.

There are a number of potential benefits to sharing data publicly. It makes the data available to people who do not work for your agency—experts, interested laypeople, and industry analysts. These groups bring different viewpoints, perspectives, and skillsets to bear, potentially resulting in analysis and conclusions that may otherwise have been missed. Publicizing data also helps educate the public on a regulator’s mission and focus.

However, before opening up all your data, certain factors need to be considered. The data to be published should be as accurate as possible, to help stakeholders draw valid conclusions. Additionally, the format of the data should be well defined and clearly communicated through documentation and examples. Also, consider potential second- and third-level impacts of the data being published. One specific data set may not be enough to identify an otherwise anonymous entity, but combining those data with other data sets might.

Open data: Kennedy v. City of Zanesville

For over 50 years, residents of a predominantly African-American part of Zanesville, Ohio, were denied access to clean water from the city water line, having to instead use rainwater or drive into town for water.81 Eventually they sued. One of the key pieces of evidence used in the case was a map created from open data. Data from the water company, including which houses were connected to the water line, were combined with data showing town demographics. The resulting map was striking; there was a significant enough correlation between the houses occupied by the white residents of Zanesville and the houses hooked up to the city water line that a judge ruled in favor of the African-American plaintiffs, awarding them a $10.9 million settlement.82 Something as simple as combining two open data sets laid bare alleged discrimination against these Zanesville residents.

What to consider

  • What data can we share? A key consideration is to make sure the data being shared do not reveal proprietary or personally identifying information. Anonymizing the data sets to be shared should be strongly considered prior to any data being published. For example, CFPB recently enabled consumers to opt in to publish their complaint publicly in its Consumer Complaints Database.83 In addition to making public posting an opt-in choice, CFPB also provides information on how the data will be used, what data will be anonymized, and how a consumer’s private information is protected.84

  • How are the data shared? Data can be shared through an application program interface (API) or in a raw form. The format of the data should be considered as well; ideally data should be shared in way that can be easily combined or cross-linked to other data sets. This likely means adhering to set standards or widely used data formats. In the case of CFPB’s Consumer Complaints Database, the data can be accessed through an API or exported in a number of different file formats for offline analysis.85

Opportunity: Collaborative enforcement

In a number of cases, due either to industry or circumstance, companies and individuals may have to deal with multiple regulatory agencies. For example, they may need Occupational Safety and Health Administration for workplace-related matters, the Department of Labor for human capital-related matters, and local or state regulators focused on their industry. In complicated markets like finance, these different regulatory agencies may be requesting similar, or even the same, data sets to carry out their duties.

This duplication burdens both the regulated entity and the regulator. The regulated entity has to respond to multiple requests for similar sets of data, and regulators generally have to use limited resources and wait to receive the data, even though a peer agency may already have a data set they could use. One potential solution is to find ways for industry and regulators to collaborate, both to rationalize the requests being made and to better share data between regulators. For example, a given agency may only visit or investigate a fraction of the companies it is responsible for, and those it is unable to cover may be accessed by other regulators who could bring back useful data.

Collaborative enforcement: “Tell Us Once” United Kingdom (UK) 

Losing a loved one is a difficult time for a family, exacerbated by bureaucratic processes to register the death. Families are responsible for informing multiple agencies in order to officially register the death.86 The UK government developed the “Tell Us Once” service that allows families to register a death online and that information is shared with multiple organizations including:

  • Her Majesty’s Revenue and Customs87

  • Department for Work and Pensions88

  • Driver and Vehicle Licensing Agency89

  • Passport office90

  • The local council91

This service allows multiple organizations to receive necessary data while working to eliminate the burden on the citizen during a particularly vulnerable time.92

What to consider

As regulators embark on an era of increased collaboration, they should consider the following:

  • Potential partners. What other agencies are engaged in this space? Identifying the right partners and setting up the necessary agreements can help facilitate data sharing and collaboration. As the supply chains for new medicines go global, so too must regulators who aim to keep the patient safe. A new organization, the International Coalition of Medicines Regulatory Authorities (ICMRA), is being launched to help increase collaboration and coordination among global medicinal regulatory agencies.93 One of the key goals for this new organization is to “avoid duplication of efforts” among its approximately 25 global member agencies.94

  • Data usage. Not all data can be shared. Limiting data access to those authorized helps build trust between regulators and regulated entities. ICMRA is a relatively new organization, but it has already set up a working group focused on “rapid sharing of information” to address issues related to sharing data between regulatory agencies from around the world.95

Opportunity: Retrospective review

“If you make ten thousand regulations you destroy all respect for the law.” —Winston Churchill96

Every day new regulations are proposed, draft regulations commented on, and final rules published in the Federal Register. These rules add to the existing set of regulations and expand the oversight and enforcement scope of regulators. From the perspective of the regulated entity, these new rules may represent an investment—of time, effort, and money—to understand whether the new rules apply and, if they do apply, are they impacted by any additional regulations as a result.

Executive Order 13563 (Improving Regulation and Regulatory Review) contains one solution to this problem. It requires federal regulatory agencies to develop and submit plans to review their significant regulations “to determine whether any such regulations should be modified, streamlined, expanded, or repealed so as to make the agency’s regulatory program more effective or less burdensome.”97 From an oversight and enforcement perspective, regular review of published regulations can help regulators identify whether there are areas they no longer need to focus resources on or if there is an area they are not overseeing as aggressively as they should be.

While it is a challenge to review the entire set of regulations an agency has issued, this exercise is a way to build trust with industry and show the agency’s commitment to continuous improvement. The advent of new technologies like machine learning and artificial intelligence may make this task easier, enabling more frequent regulatory reviews.

Retrospective review: The Better Regulation Executive 

In 2005, the United Kingdom created a new government agency, the Better Regulation Executive, to “maximize regulatory protection while minimizing unnecessary regulatory burden.”98 The UK government at the time committed to reducing the total administrative burden by 25 percent over five years or £3.5 billion annually, and used this goal to incentivize agencies to review their existing regulations. Scaling for GDP and exchange rates, this would be the equivalent of a $34 billion annual reduction in administrative costs in the United States.99

In the process of reviewing their existing regulations, UK regulators identified opportunities to streamline their oversight and enforcement activities, reducing the burden on both the agencies and those they regulate. With regulators being confronted with requests to regulate some new development or innovation, the £3.5 billion goal provided UK regulators with an incentive to commit resources to reviewing their existing regulations and identifying opportunities for improvement.

The agency continued to evolve its approach to achieving impactful yet minimally burdensome regulation. In 2012, the Better Regulation Executive implemented a one-in, two-out rule for regulation.100 Any agency wishing to implement a new regulation had to repeal two existing regulations that were equivalent in cost so that the burden imposed by the agency remained the same. This approach drives prioritization of regulation by agencies and, at least anecdotally, increased consideration of alternatives to regulation.101

What to consider

  • Quantify the burden. Quantifying the burden of regulations along with the oversight and enforcement costs are some key first steps. Other nations have used similar studies as a starting point for discussions about opportunities to improve the general regulatory system.102 The NHTSA periodically reviews the regulations it has issued since 1970 to evaluate their effectiveness. It reviews these regulations from a number of different perspectives—“lives saved” is a key metric as is “cost per life saved.” Likewise, “crashworthiness,” “crash avoidance,” and general “cost and weight” additions to consumer vehicles because of NHTSA regulations are other factors used to evaluate rules.103

  • What happens to ineffective rules? Ineffective or duplicative regulations could be modified, in the hopes of making them more impactful, or removed entirely. In the United Kingdom, the Red Tape Challenge program crowdsourced feedback on different sets of regulations. Not only were citizens asked to provide feedback on whether they thought a regulation was working or not, they were also given free rein to suggest simplifications or modifications to specific regulations.104 The Cabinet Office took this feedback into consideration as it examined how to streamline the United Kingdom’s regulatory regime and acted on this citizen input when feasible.105

Becoming the regulator of tomorrow

"Our regulatory system must protect public health, welfare, safety, and our environment while promoting economic growth, innovation, competitiveness, and job creation . . . It must identify and use the best, most innovative, and least burdensome tools for achieving regulatory ends." —President Barack Obama

Regulations can play an essential role in protecting citizens and businesses, but if not done strategically, they risk being costly and burdensome for both agencies and businesses. A key task for regulators is to find effective and efficient strategies to overcome the challenges they face and achieve their agency’s mission.

Regulators are facing significant challenges—keeping up with technical and business model innovations, growth in the number of suppliers of goods and services, increasingly digital constituents, and the changing attitudes and behaviors of industries and consumers. The challenges are complex, but provide regulators the opportunity to examine “business as usual” in an effort to remain relevant and effective in our rapidly changing environment.

Exciting opportunities exist for regulatory leaders to navigate today’s challenging landscape and prepare for the future—both in how they approach rulemaking and in the way they enforce rules. By aligning technology, strategies and processes, and talent, regulators have the opportunity to become the regulator of tomorrow.

Deloitte’s federal practice works with federal civilian agencies to help them improve performance, enhance efficiency, and achieve their missions. Through our services, we can help agencies:

  • Strategically select and migrate to a shared service model 

  • Enhance the way financial regulators supervise and examine the regulated community

  • Adopt the latest technological solutions to help mitigate risks and protect against cyber threats

  • Modernize core international development and diplomacy programs

  • Redefine the end-to-end process of eligibility determination and benefit/entitlement/credit provision to citizens

  • Improve service delivery to help drive enhanced competitiveness and customer satisfaction and retention