Security and Compliance Management- Ticket to Success
By Terrence Lim, Chief Risk Officer, Aviva
The financial industry today is under immense pressure to evolve which has induced the acceptance of technologies. Four key things have transformed the industry, and I simply call them the ‘ABCD’ where A is Artificial Intelligence (AI), B is Blockchain, C is Cloud computing, D is Data Analytics. The challenge lies in accepting the new technologies to enhance the compliance function and ensure the functions sustainability in the long run. With such technological advancement, it affects the role of compliance for which we are required to enrich our skillset to meet the expanded job scope and ensure the compliance teams are kept abreast and equipped with relevant Information Technology and business protection knowledge. Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust.
We are exploring tools to simplify our processes, like facial recognition, robotic process automation, optical character reading, Chatbot, etc. These have helped us to simplify the customer onboarding processes by reducing a lot of unnecessary burden and laborious human works. We continuously learn and think from a customer experience perspective to make our interaction with customers “short and sweet” with ensuring compliance at all times.
When it comes to AI, more sophisticated tools are used to control, assist and innovate to ensure compliance. Embedding AI technologies in day-to-day functions can raise reflex to certain suspicious financial crime transactions, helping us to draw better conclusions by reporting it to the financial institutions. In the near future, Robo-advisors are anticipated to be a cynosure in the world of AI.
Blockchain is considered one of the hottest topics in financial services industry due to its potential to change how business works and making business processes more effective, efficient, transparent, secure, timely, lower cost and error free. With the use of blockchain, smart contracts is getting more attention on its application, whereby it is capable of helping businesses to execute, validate, and enforce the convention or performance of an agreement.
While cloud computing is getting more commonly adopted by businesses, some regulators could be skeptical about the robustness of this technology to safeguard the interest of the general public, particularly when customer’s personal data is involved. Hence, businesses need to understand the various types of cloud and its applications in the business as well as its risk appetite. Compliance should be well aware of applicable data privacy laws as well as those with extra territorial application to industry-specific regulations such as HIPAA for health data and PCI DSS for payment cards. It is equally important to assess the effectiveness and reliability of the security deployed for these cloud computing and ensures that a proper service level agreement is in place to protect the rights of the companies.
Additionally, leveraging data in compliance is critical, and we utilize data analytics as part of the compliance functions. Some organizations are employing data scientists to translate data for its complete utilization. For meeting the business objectives, I would suggest data monetizing.
Some of the Compliance Challenges are as follows:
• Upgrading the legacy systems as it becomes difficult to converge into new requirements.
• Increasing the skills and competency that fit this newer interface of automated reporting to some of the key compliance issues.
• Mitigating the cybersecurity risks.
What are Your Suggestions to Proactively Manage Compliance Risk?
Companies—especially startups—are moving from a non-regulated space into a regulated space, particularly joining the financial institutions. It is essential to understand the compliance requirements and build tools to identify all the regulations in the industry and then reassessing those regulations could improve the business. Let’s say, for an insurance company, one needs to be aware of the security requirements and the exposure arising from outsourcing the datacenter to a cloud service provider. Stepping forward, identifying the existing policies, prioritization should be made based on the degree of the risk we are exposed to. In our case, we assess the design adequacy and validate the operating effectiveness to determine the effectiveness of the risk and control framework whether it is capable to meet the compliance requirements. If not, we establish action plans to help the business to bridge the gaps and ensure that the remediation actions are carried out timely to mitigate the compliance risks and bring them within our risk tolerance.
Cognitive tools along with AI and machine learning are leveraged to capture this end-to-end robust process and study if the regulation changes correspond well with the requirements. Before prosecuting the huge resource investment, the adoption and the reliability concern is examined. We capture the entire compliance universe and present the strategic design in a powerful way to the regulators. The internal audit may perform independent assessment to help the business to identify the effectiveness of the compliance framework implemented.
How to Mitigate Compliance Risks in an ever-changing regulatory landscape?
Gaining insights into regulatory changes or advancements around the world and analyzing top-down down-and bottom-up approach can help in risk mitigation. For instance, changes in the UK law— The Criminal Finances Bill 2016—states that facilitation of tax evasion could be an offence despite the business operating outside of the UK. A Hong Kong company with headquarter based in the UK must ensure that controls are implemented to comply with this extra territorial UK law.
Another example is the EU General Data Protection Regulation (GDPR), while it may not seem to be applicable to most businesses outside the EU. However, it is not as simple as it seems to be. Compliance needs to play a role to help the business to determine the applicability of the law outside of the EU by determining the extra-territorial application and whether the business is subject to the following:
• Whether data is being processed in the context of the EU business.
• Offering goods and services to individual in the EU or monitoring of behavior of individual in the EU.
• Whether apparent that the business envisages offering goods or services to individuals in one or more members in the state of EU irrespective of payment.
• Overseas e-commerce offering products, available online in English with payment to be made in Euros, processing multiple orders from individuals within the EU and shipping these products to them.
This may avoid the businesses from implementing unnecessary compliance framework, improve efficiency and reduce compliance cost.
What is the Role of Work Culture in Mitigating Compliance Risk?
A question worth asking is “Are there any bad apples, rotten eggs, excellent sheep and ‘permafrost kind of person in your organization that need to be dealt with?” These people have been thought to contribute to a negative culture and need to be proactively managed to ensure the success of the organization! The senior executives must establish a proper tone at the top to shape a robust organizational culture that is embedded in the day to day function of the respective operational areas. Instead of penalizing, special attention must be given to the amateur employees, educating them, enable them to learn from past mistakes and provide them the relevant support and tools, which will help them to embrace the right working culture. Such approach will definitely be appreciated by employees at all levels and sustainable.