The trajectory of financial regulation is currently not in ideal sync with the evolution of regtech , the infusion of compliance tools in financial institutions and the rise of algorithmic markets. Financial institutions increasingly operate through automated systems that trade securities, monitor transactions, manage risk, ensure compliance and generate regulatory reports without continuous human intervention. Yet the rules governing these systems remain predominantly expressed in natural language documents—circulars, guidance notes, and regulatory manuals written for humans, typically Bank lawyers, product owners, tech teams risk and compliance professionals. This creates a certain degree of ambiguity: the operative rules embedded in financial infrastructure are not the official regulations themselves, but rather private interpretations of those regulations into executable code, performed by each institution’s technology staff.
This article argues that financial regulators should fundamentally reorient their approach to rule promulgation, treating machines—not humans—as the primary audience for regulatory text.
By publishing regulations in machine-readable and machine-executable formats alongside traditional legal prose, regulators can reduce implementation variance, enable continuous compliance verification, lower costs, enhance supervisory capacity, and ultimately reclaim public control over how rules actually operate in practice. While acknowledging significant risks—including over-formalization, embedded bias, and loss of adaptive flexibility—I argue that the alternative is worse: continuing to write exclusively for human readers effectively delegates the real work of lawmaking to private actors whose interpretations and implementations remain opaque to public scrutiny. Explainabilty and Audit at a later post facto level may erode effective compliance, hence better communication with machines is necessary
The Algorithmic Reality of Modern Finance
The modern financial system operates at speeds and scales that defy human supervision. High-frequency trading algorithms execute millions of trades per second. Transaction monitoring systems scan billions of payments daily for suspicious patterns. Risk dashboards aggregate exposures across global portfolios in real time. Regulatory reporting platforms generate thousands of data points for submission to multiple supervisors. Every one of these functions is performed not only by compliance officers interpretations of rulebooks, but by software interpreting what programmers thought the rules meant.
Yet the authoritative source of these rules—the actual legal text—remains written in natural language, published in PDFs, and often require nuanced judgment in interpretation. When the Basel Committee publishes new capital requirements or the Financial Action Task Force updates AML guidance, the documents go to legal and compliance teams, who draft policies for IT departments, who write code. At each step, meaning shifts as discretion creeps in. Interpretation diverges. The result is not uniformity but different institutions implementing ostensibly identical rules in materially different ways. This fragmentation is not merely inefficient; it increases compliance risk. As recent scholarship demonstrates, when legal rules must be translated into technical systems, the translation process becomes a site of regulatory power that operates outside the regulator’s immediate reach. The coders—not the regulators, not legislators—become the de facto lawmakers.
Four Benefits of Machine-Executable Regulation
What if, instead of writing regulations exclusively for lawyers and then expecting technologists to reverse-engineer executable versions, regulators published rules in both human-legal and machine-executable formats simultaneously? This is already happening in narrow domains—tax authorities publish executable logic for return calculations; customs agencies provide tariff-determination algorithms; central banks issue machine-readable data schemas for regulatory reporting. The need of the day, however, is to expand its reach, to make machine executable formats the norm, not the exception.
The benefits are substantial and concrete. First, machine-readable regulation eliminates interpretive drift. When JPMorgan Chase, HSBC, and Deutsche Bank all import the same executable rule specification, they are—by definition—implementing the same rule. Ambiguities must be resolved upstream, by the regulator, not downstream through divergent implementations. This does not eliminate discretion; it relocates it to the rulemaking process where it belongs.
Second, executable regulation enables continuous, real-time compliance. Today’s regime relies on periodic checks: quarterly reports, annual audits, episodic examinations. These are snapshots of the past, not real-time monitoring of the present. When rules exist as code, they can be integrated directly into transaction processing, risk management, and control systems. Violations are detected—and often prevented—at the point of occurrence, not months later during a manual review. This shift from retrospective to anticipatory compliance represents a fundamental change in regulatory architecture, one that aligns legal obligations with operational realities in modern financial institutions.
Third, machine-readable regulation dramatically reduces implementation costs and errors. When new rules are published in executable form, compliance departments can test them against existing systems immediately, identify conflicts or gaps, and deploy updates without expensive rounds of legal interpretation and manual coding. The Bank for International Settlements estimates that banks spend billions annually translating regulatory text into operational controls; much of this expenditure is pure waste, duplicative effort across institutions doing the same translation work. Standardized, machine-executable rules convert this fixed cost into a shared public good.
Fourth, executable rules empower supervisors. Currently, regulators rely on self-reporting by institutions and periodic examinations to assess compliance. With machine-readable rules, supervisors can run system-wide validations automatically: Does every institution’s implementation pass the regulator’s test suite? Can supervisors simulate the impact of rule changes across the entire banking system before publication? Can they detect emerging risks by analyzing deviations from expected patterns? The answer to all three questions becomes yes. Regulation shifts from trust-and-verify to verify-then-trust.
Furthermore, MRC enables automated compliance checks, faster detection of violations or errors, standardized compliance processes across jurisdictions, and automatic report generation. These approaches can significantly enhance regulatory adherence across industries, particularly in sectors such as finance, where compliance is critical.
Layered Architecture for Regulatory Legitimacy
Writing for machines does not mean abandoning human readability or democratic legitimacy. The solution is layered regulation: a canonical legal text that serves as the authoritative, human-readable statement of the law; a formal, computable representation that captures the rule’s logic in a machine-processable format; and standardized data schemas and test suites that define exactly what compliance means in operational terms. All three layers would be published together, with explicit statements about precedence (the canonical text controls in case of conflicts) and processes for reconciling discrepancies.
This layered approach aligns with established frameworks in machine-readable regulations. The evolution from Machine-Readable Regulations (MRR) to Semantic Machine-Readable Regulations (SMRR) to Machine-Executable Regulations (MER) and finally to Rules as Code (RaC) represents increasing levels of sophistication. MRR focuses on structure and accessibility using formats like XML, making content readable to machines. SMRR adds semantic metadata to provide both internal insights (understanding various meanings) and external insights (relationships between provisions). MER and MCR enable actual execution of regulatory logic through codification. RaC integrates modular legal components to avoid repetition and ensure consistency across documents.
This approach is already proven in some domains. Software engineers routinely write documentation, formal specifications, and executable code for the same system; they are different representations of the same underlying logic, optimized for different audiences and purposes. Tax authorities provide human-readable guidance, machine-readable calculators, and test datasets. The European Union’s General Data Protection Regulation, while criticized for ambiguity, has prompted development of formal ontologies and decision trees that translate its principles into machine-checkable rules.
The key is recognizing that machine-readability is not a substitute for human judgment but a complement to it. The canonical text preserves legislative intent, constitutional constraints, and the capacity for judicial review. The formal representation ensures consistent interpretation. The executable code provides operational certainty. Each layer reinforces the others, creating a regulatory ecosystem that is simultaneously more precise (fewer implementation errors), more transparent (the regulator’s own interpretation is published, not hidden), and more accountable (deviations between text and code must be justified and documented).
Technical Standards and Formats for Machine-Readable Regulation
The choice of machine-readable format is critical for successful implementation. Several established standards have emerged:
JavaScript Object Notation (JSON) provides a lightweight, easily parsed format ideal for transmitting data between systems. JSON schema allows developers to specify document structure, constrain content, and verify the integrity of API requests and responses.
XML remains one of the most prominent machine-readable formats, used in regulations such as the United States Legislative Markup (USLM) and the UN’s Akoma Ntoso. XML-based regulations contain hierarchies of tags and attributes that improve internal document structure, though they may lack developed methods for connecting legal documents in machine-readable ways.
eXtensible Regulatory Reporting Language (X2RL) represents an advancement over XML, adding attributes and models designed to enrich metadata. X2RL processes legal content, intent, scope, and meaning while identifying the depth of external structure to link multiple documents together, reducing economic costs and enabling efficient data interchange.
YAML (YAML Ain’t Markup Language) offers another markup option for structuring data in human-readable format, supporting scalar datatypes including lists and arrays. As a subset of JSON, YAML can often be used interchangeably.
Resource Description Framework (RDF) and Web Ontology Language (OWL) serve more specialized purposes for web-based data representation. RDF uses subject-predicate-object triples to facilitate data integration and interoperability. OWL represents domain knowledge through classes, properties, axioms, and instances, supporting expressive semantic representation in distributed environments.
The selection of format should balance technical requirements with practical considerations: interoperability across systems, ease of validation, support for semantic annotation, and compatibility with existing regulatory infrastructure.
Market Structure Implications
One of the benefits of machine-readable regulation is its potential to create a level playing field between large and small institutions. Today, regulatory complexity favors incumbents. Global banks employ compliance professionals and can afford bespoke legal interpretations and custom IT systems. Community banks and fintech startups do not possess the budget for such robust back office arrangements . The result is uneven compliance mechanisms across the financial sector due to a compliance barrier to entry that protects established players and stifles innovation. This creates compliance blind spots in non-bank sectors , a potential threat to financial stability.
Machine-readable regulation inverts this dynamic. When a regulator publishes executable rules and test suites, the marginal cost of compliance for a new entrant drops dramatically. A startup can import the regulator’s code library, integrate it with off-the-shelf systems, and validate compliance automatically—without building proprietary infrastructure. By making regulatory code public and standardized, authorities can ensure that the law embedded in systems is the law they actually wrote, not a proprietary interpretation locked inside incumbent institutions.⁵
This shift also reduces regulatory arbitrage. Currently, institutions exploit ambiguities in rule texts, choosing interpretations that minimize costs or maximize profits while staying within defensible readings of the law. When the regulator publishes the canonical interpretation as executable logic, this space for strategic ambiguity collapses. The rule means what the code says it means. Institutions can still innovate, compete, and differentiate—but they must do so within a transparent, uniform regulatory framework, not by gaming textual loopholes.
Potential Risks and Limitations
Machine-readable regulation is not universal remedy, and its risks must be acknowledged. The most serious is over-formalization: the danger that reducing complex legal principles to executable logic will strip away context, nuance, and the capacity for equitable judgment. Law is not mathematics. The Rules accommodates exceptions, evolves through interpretation, and sometimes requires human wisdom that resists codification. A rule that works perfectly in ninety-nine cases may fail catastrophically in the hundredth, and no algorithm can fully anticipate every edge case.
Second, executable regulation risks embedding biases directly into operational systems. If a rule encodes assumptions about ‘normal’ transactions or ‘suspicious’ behaviors drawn from historical data, it will replicate historical patterns of discrimination. This is the well-documented problem of algorithmic bias, but with higher stakes: when the algorithm is not a private company’s tool but the regulator’s official implementation of law, challenging it becomes a matter of challenging the law itself. Transparency is essential—machine-readable rules must be auditable, explainable, and subject to review not just for legal correctness but for fairness and equity.
Third, there is a risk of rigidity. One advantage of prose-based regulation is its flexibility: as circumstances change, institutions and courts can reinterpret rules to fit new contexts. Executable code, by contrast, does exactly what it says—no more, no less. This precision is usually a virtue, but it can become a constraint when rules need to adapt faster than the formal amendment process allows. The solution is not to abandon machine-readability but to build in mechanisms for rapid updates, version control, and transparent change logs, treating regulatory code like the critical infrastructure it is.
The Imperative for Regulatory Code Authorship
Financial regulators who write exclusively for human readers are not, in practice, the authors of the operative rules that forms the back end of the financial system. They are the authors of source material that private actors—compliance consultants, law firms, technology vendors, and in-house developers—translate into the rules that actually run compliance tools and risk engines. This translation is not neutral. It is an exercise of interpretive power, performed behind closed doors, without public scrutiny, and often driven by commercial incentives at odds with regulatory objectives.
By continuing to publish regulations only in prose, regulators are effectively outsourcing lawmaking to private coders. They are allowing the real rules to be written by actors who may not share the public’s interests .
The alternative is clear: regulators must learn to speak in code because code is the language of implementation in a digitized financial system. When regulators publish machine-executable rules alongside legal text, they reclaim control over how their rules actually operate. They make compliance verifiable rather than self-certified. Bring regulatory clarity. Not a call to eliminate human judgment. It is a call to align the form of regulation with the form of the system it regulates.
References
- Financial Stability Board. (2025). “Monitoring Adoption of Artificial Intelligence and Related Vulnerabilities in the Financial Sector.” Basel: FSB, October 10, 2025.Available at: https://www.fsb.org/2025/10/monitoring-adoption-of-artificial-intelligence-and-related-vulnerabilities-in-the-financial-sector/
- Yeasmin, Samira and Alshemaimri, Bader. (2025). “Bridging Machine-Readable Code of Regulations and its Application on Generative AI: A Survey.” International Journal of Advanced Computer Science and Applications (IJACSA), 16(10).DOI: 10.14569/IJACSA.2025.0161050Available at: https://thesai.org/Publications/ViewPaper?Volume=16&Issue=10&Code=IJACSA&SerialNo=50
- S. Securities and Exchange Commission and Federal Financial Regulators. (2024). “Financial Data Transparency Act Joint Data Standards.” Federal Register, 89 Fed. Reg. 67890, August 22, 2024.Available at: https://www.cov.com/en/news-and-insights/insights/2024/08/federal-agencies-begin-to-implement-the-financial-data-transparency-act.
- International Swaps and Derivatives Association (ISDA). (2022). “Digital Regulatory Reporting: Market and Regulatory Initiatives.” New York: ISDA, March 1, 2022.Available at: https://www.isda.org/a/33PgE/Digital-Regulatory-Reporting-Market-and-Regulatory-Initiatives.pdf
- Financial Conduct Authority (UK). (2024-2025). “AI Regulation in Financial Services: FCA Developments and Emerging Enforcement Risks.” London: FCA.Available at: https://www.regulationtomorrow.com/eu/ai-regulation-in-financial-services-fca-developments-and-emerging-enforcement-risks/
- Bank of England and Financial Conduct Authority. (2024). “Survey of Machine Learning in UK Financial Services.” London: Bank of England, November 2024.Available at: https://www.bclplaw.com/en-US/events-insights-news/ai-regulation-in-financial-services-turning-principles-into-practice.html
- Fintech Open Source Foundation (FINOS). (2025). “Common Controls for AI (CC4AI): Open-Source Framework for Financial Services AI Governance.” November 4, 2025.Available at: https://biztechmagazine.com/article/2025/11/financial-services-works-toward-common-ai-controls-streamlined-compliance
- Covington & Burling LLP. (2024). “How Will the SEC Expand the Use of Machine-Readable Data?” Washington, DC: Covington, February 2024.Available at: https://www.cov.com/en/news-and-insights/insights/2024/02/how-will-the-sec-expand-the-use-of-machine-readable-data
Annex 1 : A Note on the Emerging Techniques for Extracting Machine-Readable Regulations
Converting natural language regulations into machine-readable formats requires sophisticated natural language processing (NLP) and machine learning techniques. A layered approach combines multiple methods:
Foundational techniques prepare text for analysis. Text preprocessing includes tokenization, stop word removal, and stemming or lemmatization to clean and normalize regulatory text. Named Entity Recognition (NER) identifies and categorizes entities such as organization names, dates, locations, and regulatory entities (laws, rules, directives) into predefined categories. These techniques ensure accurate and efficient downstream processing.
Intermediate approaches organize and categorize regulatory content. Rule-based approaches use handcrafted rules based on domain-specific semantics and syntactic-lexical patterns to capture specific formats within text, though knowledge transfer across domains can be challenging. Topic modeling through algorithms like Latent Dirichlet Allocation (LDA) and Non-negative Matrix Factorization (NMF) identifies hidden themes and major topics in regulatory documents. Text classification employs supervised learning algorithms such as Support Vector Machines (SVMs) or deep learning architectures like Convolutional Neural Networks (CNNs) to categorize regulations into domains (financial, environmental, healthcare).
Advanced methods provide deeper understanding and structured representation. Semantic analysis interprets meaning and context, analyzing relationships between words and phrases to infer regulatory intent and implications. Information extraction converts unstructured regulatory text into structured data through sentence segmentation, part-of-speech tagging, entity recognition, relation extraction, and event extraction—identifying obligations, permissions, prohibitions, and conditions. Knowledge graphs organize extracted entities into interconnected graph structures representing relationships and attributes, enabling reasoning, querying, and visualization of regulatory dependencies.
Machine learning architectures applicable to this conversion include Recurrent Neural Networks (RNNs) with Long Short Term Memory (LSTM) for capturing long-range sequences, Transformer Models for semantic parsing that capture structural and semantic information, Sequence-to-Sequence (Seq2Seq) Models for converting input sequences to machine-readable outputs, Graph Neural Networks (GNNs) for representing language as graphs and capturing semantic relationships, and Large Language Models (LLMs) for comprehensive natural language understanding and generation.
Applications in Financial Services
Machine-readable regulations enable transformative applications across financial services:
Regulatory Compliance Automation: ML algorithms can identify patterns between historical regulatory data and current implementation to ensure institutional compliance. ML models extract relevant information from regulatory documents to generate compliance reports automatically, reducing manual work. Dynamic monitoring keeps systems current with regulatory bodies, identifying areas requiring policy updates.
Risk Assessment and Predictive Analytics: With sufficient data and training, ML can predict future regulatory developments and assess their potential impact on businesses, providing time for regulatory reform and allowing firms to anticipate compliance risks.
Legal Research and Policy Analysis: ML algorithms help summarize complex regulations and extract key insights by analyzing regulatory data with NLP. This identifies trends and patterns in the legal industry, aiding research and policy analysis.
Industry-Specific Implementation: Beyond financial services, healthcare industries can ensure HIPAA compliance through ML-assisted automated compliance monitoring, risk assessment, and reporting. Manufacturing can ensure adherence to safety, environmental, and quality standards through ML-enabled regulatory compliance frameworks.
Financial Reporting Enhancement: MRR can make reporting processes more efficient and faster by automating report generation with greater accuracy and consistency. Standardizing data description and identification, digitizing reporting instructions, and generating reports through MRR ensures 100% adherence to regulations reflected in financial statements and compliance reporting.
Generative AI and Large Language Models
The emergence of Generative AI (GenAI) and Large Language Models (LLMs) introduces powerful new capabilities for regulatory compliance management:
GenAI creates new content—text, images, sounds, animations—based on various inputs using Neural Networks to identify hidden patterns and structures. Foundation models trained on vast unlabeled data can be applied across industries.
Five algorithmic frameworks underpin GenAI systems:
Autoencoders compress high-dimensional data into lower-dimensional latent spaces. Variational Autoencoders (VAEs) add constraints to latent variables for desired distributions, though outputs may be blurry.
Generative Adversarial Networks (GANs) train two competing neural networks—one generating new data, another predicting whether generated data belongs to original input—producing increasingly authentic synthetic data.
Autoregressive Models sequentially predict each variable component based on prior elements, with exceptional density estimation capability. Transformer models with self-attention mechanisms enable parallel processing and selective focus on sequence elements.
Diffusion and Flow-Based Models add noise to data and reverse-engineer for reconstruction (diffusion), or leverage normalizing flows for probability distribution between data and latent space (flow-based), particularly useful for density estimation.
Foundation Models (FMs) trained on vast data produce highly accurate, diverse outputs from images to complex simulations, enabling specific task performance based on limited datasets for improved results.
LLMs work with massive text data to understand and generate human language, predicting word sequence likelihood or generating new text. When trained on legal documents, regulations, and policies, LLMs can be fine-tuned to identify similarities between new policies and outdated regulations, highlight areas of change, and identify issuing entities. This capability can significantly reduce time and effort in regulatory change management, making policy updates more efficient.
However, LLMs require complete and consistent training data to generate expected outcomes. Advances in semantic technologies such as ontologies and knowledge graphs can facilitate semantic interoperability, enabling more precise and context-aware interpretation of Machine-Readable Regulations.
( For Details : Yeasmin, Samira and Alshemaimri, Bader. (2025). “Bridging Machine-Readable Code of Regulations and its Application on Generative AI: A Survey.” International Journal of Advanced Computer Science and Applications (IJACSA), 16(10).DOI: 10.14569/IJACSA.2025.0161050Available at: https://thesai.org/Publications/ViewPaper?Volume=16&Issue=10&Code=IJACSA&SerialNo=50)
Leave a Reply