The left-right-left, rope-a-dope that pummeled companies and their compliance functions during the Financial Crisis and the ensuing “regulatory tsunami” created a massive boom in the hiring of compliance personnel.
Experts say that post-Crisis hiring phase has, largely, drawn to a close and compliance officers are now, instead, keen to do more with fewer resources. They want to be smarter, not bigger.
A step toward that goal lies in the adoption of new technologies, notably data analysis and automation. Emerging technologies like artificial intelligence, blockchain, robotic process automation, natural language learning, cloud-based services, and machine learning are pushing into the compliance landscape. Connected and integrated data promises to transform enterprise risk management, enabling the business and its compliance function to better predict trends, flag anomalies, and proactively avoid crisis.
A well-planned and supported integration of cutting-edge technologies can also help bypass less-than-productive routine processes, such as data entry, transaction monitoring, and policy and contract reviews. Software platforms promise to automate routine tasks to improve fraud detection audits, anti-money laundering protocols, and know-your-customer screens.
Vocabulary to add to your compliance lexicon
A quick look at of some of the terminology associated with emerging technology and its application to governance, risk, and compliance. Instead of organizing this glossary alphabetically, we’ve started with the simplest terms before moving to more complicated ones.
Blockchain: A storage and transfer protocol for assets that is the architectural backbone of Bitcoin and other virtual currencies. It is a decentralized, distributed digital ledger that can track any digitized asset (securities, deeds, media, intellectual property, etc.), recording and verifying transactions across a large network of computer “nodes.” The distributed nature of the system facilitates secure online transactions while ensuring that no single bad actor in the network can tamper with the rules, timing, and execution of a given transaction.
Cloud: Common vernacular for offsite, decentralized storage arrays used to park, share, retrieve, back up, and manage data. Similar to personal data storage options with increased resiliency, scalability, and security features. Data and core mission-critical systems can be managed, in a virtual desktop environment, and served, largely off-premise.
Sandboxes: Nickname for real-time production environments in which new technology can be securely put through its paces, experimented with, and pilot-tested by institutions, providers—and even regulators—while mirroring, but never directly affecting, real-time operations.
Software-as-a-service (SaaS): Subscription-based software offerings wherein all upgrades, updates, and patches are seamlessly provided by the chosen vendor. SaaS offerings stand in contrast to the more traditional “product,” in which a customer pays a one-time fee to purchase and host the software outright (but has to pay for next-generation upgrades). SaaS solutions are often hosted in the cloud.
Advanced data analytics: Also known as “Big Data,” it focuses on gathering enormous amounts of information to use for predictive analytics (where the next breach might occur, for example), and behavioral analytics (potential employee fraud, etc.). A subset of these solutions is compliance analytics, wherein data can be used to detect and predict otherwise-hidden red flags. Common applications include reviews of know-your-customer, anti-money laundering, and beneficial ownership.
Robotic process automation (RPA): The automation of repetitive tasks and business processes that mimic such mundane activities as logging into a system, entering data, viewing online data sources, and copying and pasting data across multiple media, systems, and departments. Processes automated through RPA must be rules-based and will typically only input into structured data formats, such as spreadsheets and databases. Compliance uses include combing through systems to identify data for regulatory filings and testing for compliance with company policies.
Artificial Intelligence (AI): A “suitcase term” that unifies multiple tools, it is essentially a broad way to describe machines performing narrow cognitive tasks. AI complements process automation by taking unstructured data and—beyond the capabilities of robotic process automation—putting it into a structured format. It can deal in more sophisticated data models to help enhance decision-making processes. Among the areas this technology can assist with: anti-money laundering alerts, know-your-customer data monitoring, beneficial ownership data collection, financial crimes investigation, liquidity risk management, and keeping pace with regulatory change.
—Compiled by Staff Writer Joe Mont; Editor Jaclyn Jaeger; and contributor Anthony Dell, a compliance futurist.
The pitch is as simple as the technology is complex: let machines scan through a company’s data to do the grunt work of simple investigations, better utilizing the expertise of human personnel.
If you’re in the middle of transforming the way you perform your core functions, you’re not alone.
In Compliance Week’s survey of 118 compliance professionals who are part of the technology decision-making process at their companies, exactly 50 percent indicated they were currently evaluating options for adding or upgrading their compliance tech, with another 19 percent already in the process of an upgrade. Just 14 percent indicated they were not considering a change.
With so many options to choose from and so many hurdles to clear to get from idea to execution, how do you best navigate what will certainly be a complicated process? We’re glad you asked …
Where do you start?
A company first needs to identify which functions can be improved and made more efficient with technology. There needs to be buy-in from directors and executives and a worthy pitch that brings them to “yes” without promising the moon and stars. Can you mesh the new tech with legacy systems? What’s your backup plan if it all fails to meet expectations?
When to initiate a new technology is a very company-specific decision.
“It varies on the type of technology and use case,” says Michael Rasmussen, an internationally recognized pundit on governance, risk management, and compliance technology and founder/principal analyst for the research firm GRC 20/20 Research. “It all depends on the particular use case and vendor implementations out there to meet those needs.”
Here’s our five-step guide on how to make the best decisions for your organization:
Step 1: Identify solutions that meet your needs
There is a lot of hype around new technology, and exactly what you need depends on the industry you are in, says Michael Volkov, CEO and owner of The Volkov Law Group, a compliance, internal investigation, and white-collar defense service.
“If you are a financial institution, your regulator is all over you every day, and you are submitting vast amounts of information to them. That is one thing, versus if you are a manufacturing company, a hospital, or major healthcare provider,” he says.
Rasmussen suggests an initial in-house review of manual processes and identifying problem areas to build a business case for a technology upgrade.
He recounted a conversation with an organization that specializes in case management and investigations. The organization discovered it was spending more than 200 full-time employee hours just on an end-of-year report that summarized all of its cases for the board. The burden: a whole bunch of cutting and pasting between e-mails, Word documents, and Excel spreadsheets. That was then. Now, “it takes them less than five minutes, because they have new technology and have automated all of that,” he says.
“For every client that I deal with who is dealing with paper, as soon as we get basic automated tools in there, their life is 100 percent better,” Volkov adds. “They are all happier because they are not shuffling paper. For compliance, I would say that the biggest marginal difference in the adoption of technology has been the basic move from paper to automation technology. It has provided the greatest return in terms of job satisfaction.”
“The main thing people are dealing with now is automation to begin with,” Volkov says. “Other than financial institutions—because they often have the money to design their own [software and automation tools] most companies are still dealing with how to change from paper to automated reporting.”
Step 2: Put software vendors through their paces
Tyrone Canaday, global head of innovation for Protiviti, a risk and compliance focused management consulting company, has some advice for when the time comes to talk to technology vendors and solicit bids: “Be proactive.”
“Organizations sometimes take too much of a reactive view of things,” he says. “Compliance organizations need to have some kind of ‘change the organization’ budget, so they can look into research and development and scan for any new technologies out there that could potentially be disruptors or great enhancers.”
As you start the solicitation process, you will begin to see what various vendors’ capabilities are and how to potentially apply them to your business. “You are going to be seeing where the gaps are and seeing where there are deficiencies,” he says.
“You’d better make sure that solution really works for your organization and is actually going to satisfy the majority of the requirements that you have,” he adds. “One of the things I’ve seen at organizations is that they don’t do a good job with the whole aspect of vendor management and making sure they are maximizing the value of contracts. When they do contract negotiations, a lot of problems are glossed over. Then, when they get to a renegotiation or new contract time, those issues are not addressed at that point either.”
Information gathering is crucial when selecting a vendor, Rasmussen says. Talk to peers, analyst firms, and seek out client references, he suggests.
“The vendors and service providers often give me decision makers who usually have glowing things to say about the product of course, because they made the decision to purchase it,” he says. “I will then come at it from different angles. Where do you feel the solutions underdelivered? Where would you like to see the vendor grow their solutions?”
“If you ask them how and where they want to grow the solution, that can also tell you where it is weak,” Rasmussen adds. “I then ask if I can talk to somebody on their team that uses the product down in the trenches. Sometimes, I get a completely different story from that decision maker.”
An important point to consider: “Where you are now, compared to where you want to be in several years.”
Rasmussen also asks vendors: “What’s the most interesting and challenging use case out there, or what company is using your platform in the most interesting ways? That gives you more ideas of how it can be used.”
It eventually all comes down to money.
Blockchain: The next big thing in compliance tech
When judging technology offerings on the horizon, many compliance experts see tremendous promise on the distributed ledger technology blockchain, originally the backbone of virtual currency networks.
“Blockchain in its application to compliance is significant, particularly in terms of supply chain management,” says Michael Volkov, CEO and owner of The Volkov Law Group, a compliance, internal investigation, and white-collar defense service.
“While the costs right now for blockchain may still be too high and the technology still isn’t proven regarding security concerns,” he expects these concerns to fade over time:
“In the next five years it is going to be the real thing,” Volkov says, sharing a scenario for blockchain’s utility to financial institutions that collect, organize, and deliver large amounts of risk data to federal regulators. Much of that data is often stored in legacy systems that are internally siloed, and regulators are restricted in their ability to manage this data for their surveillance efforts.
“Blockchain can solve this problem. Financial institutions could share their data with regulators and eliminate the need for regulators to reconcile and aggregate the data themselves,” he wrote in a recent blog post. “The blockchain consists of a documented and immutable audit trail. Every bank and regulator would save on costs and time.”
Third-party vendor onboarding, he says, could be similarly documented, with equal ease and transparency. Managing “smart contracts” means the compliance and audit functions can monitor transactions in real-time. Internal auditors will have a more efficient way to identify potential fraud and investigate a series of transactions using rules-based surveillance techniques.
Blockchain also has applications for managing a company’s supply chain and its inherent risks, tracking items in that chain with up-to-the-second monitoring.
Volkov recalled a recent demonstration by a technology vendor at a conference. “I was immediately mesmerized,” he says. “They showed how you could track a fish caught in Thailand, all the way to a dinner table in San Francisco, and you know where that fish went every step of the way. I saw the application for that and was bowled over.”
To further elucidate the compliance case for blockchain, Volkov described another scenario. “When you can deploy it to set up contracts, and then set up the rules governing them, that’s going to blow everyone away,” he says.
For example, you may have a rule and policy that paying for a gift of $500 or more for a government official needs to be approved by a supervisor. “All of a sudden there is an entry that is made on the chain for that sort of transaction, but it doesn’t follow the rule,” he says. “An immediate notification is sent to compliance. Now, I don’t have to wait or hope that I audit 60 days after the fact to find out about it. I know about it right then and there.”
“These contract-based rules and policy-based rules that are enforceable though blockchain are going to be incredible,” he adds. “The whole audit profession for compliance is going to change.”
“When you are talking to clients and vendors, the big thing to really understand is what the implementation cost was or could be for you,” Rasmussen says. “Some technology providers’ implementation costs can be four-to-five times the software costs for the initial licensing for the first year. Others may have a newer breed of software—cloud-based, multi-architecture [software] can be much more cost-effective to implement.”
Step 3: Get buy-in and resources internally
Making the pitch for the money to make a technology expenditure, like so many spend asks, will require the CCO or a parallel technology position to convince directors and executives of a value proposition.
“That has been perhaps the biggest hurdle,” Volkov says. “Technology companies are being asked by compliance officers to provide them data on return on investment.”
Assessing ROI can be a difficult and very company-specific process, but common proof points would likely include cost overlay versus the monetary savings of risk reduction, regulatory enforcement avoidance, compliance-related cost savings, increased employee productivity, and streamlined business-side operations.
The flip side—executives or directors who are too gung-ho about new and shiny things and are willing to sign off on anything they consider cutting edge—has its own pitfalls.
“You need to be careful that somebody doesn’t just say ‘AI, let’s do AI.’ You need to always be educating them,” notes Volkov.
Step 4: Play in the sandbox
Organizations, especially at the chief technology officer level, may be worried about the legacy aspect of a company’s infrastructure. “There are layers of technology that have been built up over decades and if you need to replace it, then what’s the cost going to be and how fast can you get return on investment?” Canaday asks.
He offers a potential solution for both assessing legacy technology and testing new (or potential) implementations once the decision has been made to move forward.
In Canaday’s role at Protiviti, he manages “innovation sandboxes” to help clients incubate and accelerate solutions. Essentially, the idea is to create an environment where technology interactions can be studied, tested, and made to mimic software executions without actually going live.
“You are starting to see a lot of organizations do that,” Canaday says. “They incrementally start to execute changes in a way where they are not spending a lot on investment up front. They can experiment with different technologies, learn about them, see if they apply to their business, and make things more efficient on the compliance side. If it doesn’t do that, they can just stop investing.”
A new technology rollout “can’t be a big bang approach,” he adds. “You can’t change everything at once, so you need to take bite-sized chunks and do things over time.”
Step 5: Find the right people for the right jobs
Canaday stresses that a company’s eyes must be on the prize of measurably improving compliance functions. That may require a full review of hiring and training procedures.
As the financial services industry has shifted to greater automation, it has, and will continue to, cause displacement. “There are also opportunities to take ‘swivel chair’ types of processes—things that are highly manual,” he says. “If you are able to automate those functions with robotics and other technologies, those same individuals can be retrained to do higher-value work.”
“Get that retraining and see where they can reapply their energies and, quite frankly, do work that’s more interesting,” he adds. “You can start to do things like researching new controls. If that’s where you can start to reapply those energies, it is the work people would rather do, rather than pulling down files and doing data entry work, which was what they have done up to now.”
People, process, and tools need to be a top concern, Canaday stresses. “A lot of the people who are working in compliance departments don’t really have a technology background. They know policies and they know controls, but in today’s age you need to have some type of awareness of different types of technologies that are out there and then start to retrain yourself.”
He also suggests bringing in a system integrator to streamline new and evolving tech implementations.
“A lot of people, however, don’t want to spend the money up front on a system integrator or an expert to be able to do it the right way the first time,” he frets. “Then, what happens, is you don’t get what you want, the process takes a lot of time, and it just ends up reflecting badly on everybody involved from the vendor to the people involved internally. You sometimes need that third party, or it is like doing a home renovation without having an architect or a contractor yet expecting to get the outcome you want.”
The key to a successful technology adoption is rooted in how the company operates as a whole. Being mindful of both internal and external functions when adopting new technologies will go a long way in driving an efficient and effective implementation that puts the company on the path toward exciting, job-improving innovations.
The future is now. The next move is in your hands.
Special report: A practical guide to compliance technology
- Currently reading
Five-step guide to choosing the right compliance technology