Rushing technology decisions comes with big compliance risks

“The COVID-19 pandemic has certainly accelerated the trend of digital adoption in the compliance space,” says Joanna Ludlam, a partner at Baker McKenzie. This finding was confirmed by 47 percent of more than 1,500 compliance leaders surveyed around the world in the law firm’s 2020 “Currency of Connection” report.

According to the Baker McKenzie survey, 41 percent of respondents reported their organizations have faced an investigation or enforcement action due to ill-considered and poorly implemented technologies.

The sector most likely to roll out new technologies was “technology, media, and telecommunications” (TMT), cited by 57 percent of respondents in this industry. In comparison, “energy and infrastructure” and “industrials” reported the pandemic has had a “relatively low impact on their digitalization plans,” the Baker McKenzie report found.

A separate industry report, “Fintech, Regtech and the Role of Compliance Report 2021,” conducted by Thomson Reuters Regulatory Intelligence (TRRI), uncovered similar findings. In that report, 70 percent of more than 400 compliance and risk practitioners surveyed said the pandemic has increased their reliance on technological solutions. This increased to 81 percent among global systemically important financial services institutions. “The report confirmed what we’ve been hearing from the industry, which is that digital transformation in the broader sense has been hugely accelerated with the pandemic,” says Susannah Hammond, senior regulatory intelligence expert for TRRI and the report’s author.

While this trend is being observed across several risk and compliance areas, compliance officers arguably get the most benefits through the adoption of RegTech solutions (the management of regulatory processes through technology). In the TRRI survey, respondents identified several RegTech solutions that help manage compliance through automation; monitoring; or screening processes, including know your customer (KYC) and onboarding tools, anti-money laundering and sanctions compliance, and regulatory change management.

Compliance risks

Baker McKenzie’s report further analyzed the compliance risks that can result from the rapid rollout of new technologies. According to the survey, 41 percent of respondents reported their organizations have faced an investigation or enforcement action due to ill-considered and poorly implemented technologies.

“We are seeing an increase in regulators’ and enforcement agencies’ focus on compliance technology,” Ludlam says. They’re scrutinizing the way in which companies use technology to do such things as monitor employee conduct, conduct investigations, implement financial and compliance controls, and support the compliance function overall.

“Regulators really value the consistency and comprehensive oversight that technology can bring,” Ludlam adds. “They value the fact that technology can result in more timely production of information in response to investigations.” That speaks to the importance of not only understanding the expectations of regulators and government agencies from a technology standpoint, but that you’re implementing them as well.

“Compliance absolutely has to be involved in the overall governance of technology. Compliance officers should be completely comfortable that the IT infrastructure upon which the technology solutions are built is fit for purpose. Compliance needs to come to the table to say, ‘The IT infrastructure needs to be able to do this for us before we can build on it.’”

Susannah Hammond, Thomson Reuters Regulatory Intelligence

This is particularly important in financial services, where the rapid pace of digital change is creating heightened compliance risks more than any other industry, the Baker McKenzie report found. In that report, 52 percent of respondents said pressure to pivot to digital products is “dramatically increasing the risk exposure of their organizations,” followed by 40 percent in healthcare and life sciences.

Despite the heightened risk of enforcement actions, 34 percent of overall respondents said their organization had implemented technology with little regard for the compliance risks that such decisions potentially generate, and 47 percent responded that the compliance team or risk managers are rarely consulted about compliance risk when making strategic decisions regarding the acquisition of new technologies.

Again, compliance risk seems to be heightened for financial services. In the Baker McKenzie report, 40 percent of the industry’s respondents said their firms have employed technology without considering compliance risk, and 46 percent have experienced a compliance investigation.

The TRRI survey uncovered similar results, in which a quarter of respondents reported boards and risk and compliance functions needed to be more involved in FinTech solutions. An absence of appropriate skill sets may be one reason for this lack of involvement, the TRRI report stated. “That means the compliance function itself needs to have the technological skills necessary,” Hammond says.

Consequences for not consulting compliance

Riskonnect CEO Jim Wetekamp offers some other reasons for why compliance historically has not been involved in these decisions. “It may be that the risk of not involving risk and compliance isn’t really understood,” he says. Sometimes there’s also the concern that involving risk and compliance and other business functions will slow the process down.

The danger in taking a siloed approach, however, is that a given risk—a cyber-attack, for example—can infiltrate the business from anywhere, Wetekamp adds. The only way organizations can adequately protect themselves is for risk culture and awareness to come from the enterprise level, where everyone takes ownership of that risk and feels that it’s one of their key objectives, he says.

From a risk management and compliance standpoint, best practice is to “have a diversity of perspective when making these kinds of [technology] investments and not to overlook the risk,” Ludlam says. Consider not just what the technology itself can do, but also ensure you’re thinking about the risks, she says.

When making important technology-investment decisions, if you don’t recognize and factor that risk into the cost of acquisition and implementation, “then you may well end up with a bigger problem,” Ludlam says. Thus, it’s critical that the compliance function is a business partner—as opposed to a back-office policing function—by being part of the decision-making process and considers how the solution protects the business against things like cyber-security risk and data privacy risk.

“Compliance absolutely has to be involved in the overall governance of technology,” Hammond says. “Compliance officers should be completely comfortable that the IT infrastructure upon which the technology solutions are built is fit for purpose. Compliance needs to come to the table to say, ‘The IT infrastructure needs to be able to do this for us before we can build on it,’” she says.

In short, technology offers many compliance benefits, but you have to get the governance right around it, and good governance is greatly based on the skills of the compliance function, Hammond says. “But there is huge amount of benefit waiting there if you can get all those processes right, and firms can’t get that right unless compliance is front and center.”