Analytics at work: a data-driven approach to compliance
September 2022 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
September 2022 Issue
Compliance is a word firmly entrenched in the corporate lexicon. A term that denotes a requirement for a symbiotic relationship with an often comprehensive tick list of rules, regulations or any other type of government edict that, in many instances, will task even the hardiest of compliance professionals.
In the financial services (FS) sphere, compliance is most certainly a challenging endeavour, with the penalties for non-compliance severe. Since 2008, the fines imposed for transgressions such as money laundering and sanctions violations have reached a staggering $30bn, according to EY.
In its report on today’s FS compliance landscape – ‘The State of Financial Services Compliance 2022’ – SteelEye contends that FS firms face significant compliance challenges amid increasing financial regulatory uncertainty, with compliance teams under pressure to innovate and streamline their functions to suit the modern environment.
“Our survey report demonstrates the breadth and complexity of the challenges facing today’s compliance professionals,” says Matt Smith, chief executive of SteelEye. “Regulatory change, a changing operational environment and growing data volumes are forcing FS firms to rethink their processes and procedures for regulatory reporting, trade and communications surveillance, record keeping and more.
“Moreover, it is clear that FS firms are beginning to recognise the role technology can play in removing regulatory complexity,” he continues. “Indeed, projections for the year ahead show almost half of firms anticipate an increase in RegTech investment, and a further 41 percent expect to invest the same as they did last year.”
Of all the compliance challenges facing FS firms, by far the most prominent, according to SteelEye, is to manage the pace of regulatory change while continuing to meet existing operational obligations. Moreover, much of the challenge stems from difficulties surrounding the effective management, consolidation and normalisation of data.
The SteelEye report also states that while 42 percent of respondents indicated that they find regulators more challenging to deal with, 73 percent believe FS firms are well-equipped to handle more stringent regulatory rules over the coming years.
“Digitalisation is well-underway for most large firms, 75 percent of whom have started investing in or have fully implemented technologies like artificial intelligence (AI) and machine learning in compliance,” states the report. “There is, however, a need to reach smaller firms, where uptake is lagging. Arguably it is these teams who are least equipped to adequately manage the challenges ahead.”
DOJ guidance
FS firms with varying risk profiles, geographies and workforces collect and analyse a vast array of data across myriad functions (including sales, marketing and legal) in order to predict behaviours and meet their business goals.
Providing guidance in this respect is the US Department of Justice’s (DOJ’s) ‘Evaluation of Corporate Compliance Programmes’ guidance, which considers whether compliance functions have sufficient access to relevant sources of data to allow for timely and effective monitoring and testing of policies, controls and transactions.
In many cases, the challenge for compliance practitioners lies with identifying the various risk-relevant data sources that exist across the business and understanding the story that the data in question can tell.
“The DOJ’s guidance is the most relied upon regulation for ethics and compliance programmes, regardless of whether a business is US-based or not,” states the OneTrust report ‘A Data-Driven Approach to Evaluating IT Risk’. “This guidance makes it clear that access to data across the business, analysis of that data, and tailoring your programme based on that data, is essential for an effective corporate compliance programme.”
Drilling down, the DOJ guidance recommends that FS firms ask themselves questions in certain key areas, as outlined below.
First, data resources and access. Do compliance and control personnel have sufficient access to relevant sources of data to allow for timely and effective monitoring of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address them?
Second, control testing. Has the company reviewed and audited its compliance programme in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data and interviews of employees and third parties does the company undertake? How are the results reported and action items tracked?
Third, updates and revisions to risk assessments. Is the risk assessment current and subject to periodic review? Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance programme?
“This data, both quantitative and qualitative, provides compliance departments and regulators with measurable ways to test and analyse the correlation between corporate culture and events, as well as how these behaviours highlight vulnerabilities within the organisation, whether it be from conduct or controls,” adds OneTrust.
The upshot of all this is that having a digital and data-driven compliance programme is deemed to be a desirable state for FS firms – a programme that will allow them to tap the full potential of their data to extract insights and be dynamic in managing and monitoring their operations.
Well-executed
The benefits of a well-executed compliance programme cannot be underestimated. It is even more beneficial when it utilises robust technology and data analytics that can help firms to monitor internal behaviours and the behaviours of any third parties with whom they do business.
According to the 2020 Deloitte report ‘A dynamic data driven approach to compliance monitoring’, when preparing for an effective data-driven compliance monitoring capability, FS firms should consider the following four factors.
First, focus the effort. Rather than casting the net wide or investing heavily in one technology solution, consider conducting a focused proof of concept to understand the mechanics of an analytics-driven approach and to demonstrate the value it can provide.
Second, getting the right data. A data-led monitoring capability is only as good as the data on which it is based. Focus needs to be on the right data source and relevant data within these sources.
Third, engage with stakeholders. It is important to involve all stakeholders from the relevant areas of the enterprise who will be interacting with the solution.
Lastly, different risks may require different analytical approaches. For example, clustering and anomaly detection use statistical profiles to identify normal activity and then differentiate outliers from these profiles. Supervised modelling, in contrast, uses prior economic crime, waste, abuse and misconduct to enable the computer to ‘learn’ the characteristics of these events, to provide early warning signs, and to identify other instances of similar behaviour.
“The main benefit of robust technology and data analytics is establishing a scalable, sustainable and meaningful compliance programme,” contends OneTrust. “There is a famous saying that you measure what matters; and so, measuring your efforts, their results and their ability to impact behaviours is key to understanding and assessing how to achieve the outcomes and behaviors desired from a compliance programme.
“While technology allows firms to scale insight and impact particularly with limited people and resources, data analytics allows them to have a realistic picture of behaviours or the lack of behaviours across an organisation,” continues OneTrust. “This provides businesses the chance to derive insights from trends or patterns, both good and bad, and highlight gaps or ineffective controls.”
Compliance reporting
Given the heavy price that can be paid should FS firms fall foul of regulators, reporting is a crucial component of the compliance playbook. That said, firms need to be careful with the look, feel and format of their reporting obligations and ensure that only relevant data is used to convince regulators and other key stakeholders.
“A firm’s compliance data and reporting should tell a story of what is working or what is not working within the business,” states the OneTrust report. “This data should evaluate psychological safety and trust and be comprised of layered charts and information that, where possible, can be filtered to understand what behaviours are happening and when they are happening.
“Questions should be asked such as: do your employees trust you to speak up on important issues? And do employees trust that you will work with them fairly and transparently?” continues OneTrust. “In this regard, benchmarking is a powerful tool that can provide further visibility. Understanding both external and internal benchmarking trends, as well as what drives them, provides richer context and therefore better insight for reporting.”
However, in the view of Jochen Vankerckhoven, founder of Compliance Explained, too much emphasis is being placed on compliance tools rather than their goal. “Yes, there are heavy lifting tools, like every AI tool,” he explains. “But if you are measuring the wrong thing, you can burn your money right away. We should look less at what other firms are doing and more on how we can improve our own internal compliance.”
No holy grail
As global data volumes continue to grow, FS firms need to stay ahead of the curve and navigate an ever-changing landscape – all the while searching for the ideal pathway to a more data-driven approach to compliance.
“Leveraging data analytics for compliance operations should be a business imperative,” suggests OneTrust. “Although data is intimidating, it is necessary for understanding a programme’s value and how it is realised. It will help firms to improve their compliance, but they will still need to dig deeper to see what is really going on, to see the why of things.
“In the years ahead, we must continue to make high-quality data-driven decisions that drive outcomes and change behaviours,” adds OneTrust. “Specifically, data quality, data governance and data cleansing are all critical disciplines that must be incorporated into data-based analytics. Our compliance programmes depend on it and so does our credibility, as programmes and as people.”
Mr Vankerckhoven, while believing that there is no holy grail to measure compliance, does advise firms to: (i) identify behaviours that can cause a compliance risk; (ii) determine which indicators are going to be measured (direct or indirect); (iii) determine how to score specific indicators; and (iv) and determine what the firm can do to impact these scores, such as proactive compliance elements like training, communication, discipline procedures and sanctions.
“The effectiveness of a compliance programme can be shown if by repeating and adjusting these steps, the score lowers and the chance of risky behaviour lowers,” he concludes. “It is repetition and changing things that will create a stream of data over time. And this data will help FS firms to improve compliance.”
© Financier Worldwide
BY
Fraser Tennant