With regulatory compliance becoming an integral aspect of governance across the world, it is important to understand the growing complexities and demands of the same to develop a rigorous yet agile solution. Hence, it has to be handled with the utmost urgency, considering its impact on the organizational leadership and the overall Brand Equity. RegTech, based on regulatory technology, is a term coined by the Financial Conduct Authority to address this very challenge. It applies to the new technologies developed to help overcome regulatory challenges in financial services. At TCS Research, we have developed the Automated Compliance Checker which advances RegTech state-of-the-art technology by significantly automating the compliance process from processing natural language text to extracting rules to checking compliance and reporting
Regulatory compliance has been much in the news in recent times, either for introduction of new regulations with farreaching impact such as the recent GDPR, or for enterprises facing regulatory action and huge fines for non-compliance. It figures among the top five CEO-level concerns in enterprises worldwide,1 and understandably so, given the complexities involved and stiff penalties and reputational risk associated with non-compliance. Global demand for regulatory and compliance software is expected to reach over hundred billion US$ by 2020.
The prevalent trends in compliance software are changing, however. Where Governance, Risk and Compliance (GRC) frameworks, regulation specific products, and/or bespoke compliance software ruled the roost, RegTech is now emerging as the indispensable weapon firms must have in their arsenal to quickly respond to ever-changing regulatory needs. The term “RegTech” was coined in 2015 by the Financial Conduct Authority, which described it as a sub-set of FinTech that focuses on technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities.2
The most important difference RegTech brings to the table is agility in implementing regulatory requirements. In contrast, erstwhile processes and software are unwieldy and need to mobilize multidisciplinary teams to understand and manually implement regulatory changes, as illustrated in Figure 1, taking inordinate amount of time. The other key characteristics of RegTech are speed, integration, and analytics. However, current RegTech solutions address only certain aspects of compliance implementation, such as reporting or storing due diligence data, or niche areas, such as anti-fraud services or consent management
The most important difference RegTech brings to the table from traditional systems is the agility in implementing regulatory requirements
At TCS Research, we have developed the Automated Compliance Checker—an architecture, a set of automation tools, and method support that completely redefines the entire process of checking compliance to regulations using a combination of formal and automated technologies. It not only addresses the four RegTech objectives but is generic, i.e., domain and regulation-agnostic; and automates all of the end-to-end process beginning with extraction of rules from regulatory documents to checking compliance on relevant data in the enterprise and generating a report. Subject matter experts’ (SMEs) input is obtained only at the points where necessary and the technology components provide intelligent assistance to efficiently utilize their expertise and time.
Our point of view
Being essentially language engineering people, we naturally gravitate toward solution approaches centered around the idea of refinement/transformation of higher level formal specification to machine executable language. But, source in form of natural language text presented a big hurdle in applying this approach to automate regulatory compliance. Work at Imperial College London in the late 1980s professing that “regulation is a logic program” encouraged us to stay the course.3 A language processing-based approach to regulatory compliance did seem feasible after all. But, some key practical challenges remained:
– It took serious concerted efforts of a bunch of expert logicians from academia to express regulation as logic program. Expert logicians are in short supply and there are far too many regulations to be encoded manually into logic programs.
– The world is dynamic— new regulations keep being introduced, existing regulations keep being modified, and enterprises themselves keep changing all the time—thus requiring services of expert logicians all the time.
– Modern enterprises, even from the same business domain, typically differ in terms of operational processes, software systems, technology platforms, and so on. Any solution for automated compliance must be easily retargetable to accommodate difference in choices as regards the above. In short, one shrink-wrapped product is unlikely to meet the case.
– Regulatory compliance demands three kinds of expertise namely Legal (to translate the legalese text into normative text), Domain (to bind normative text to domain specific context identifying the data elements to be checked and the checks themselves), and IT (to obtain the desired data elements from the enterprise’s information footprint and optionally to execute the checks). A good compliance solution should facilitate separation of these three concerns thus leading to a well-coordinated compliance process.
To overcome these practical challenges, we have developed NLP/ML-driven model-based evidence-supported approach to automated regulatory compliance. The approach is supported through a set of automation aids and a method for using them under human supervision. The framework uses a combination of AI and model-based technologies to create a model of regulation rules that drives the entire compliance checking process, as illustrated in Figure 2. The regulation ontology and rules are automatically extracted from regulatory documents using natural language processing and machine learning techniques.4 SMEs review and refine the extracted rules in controlled natural language that automatically populate the model.5 The model is used to generate an executable specification of the rules as well as to identify the relevant data needed from the enterprise for checking compliance.6 An enterprise data integration tool helps SMEs map to data sources within the enterprise, from where data facts are automatically extracted and checked against the formal rules to generate compliance report. The report pinpoints rules and data responsible for success/failure, providing evidence that helps SMEs trace and fix non-compliances.
Use of neuro-linguistic programming (NLP) techniques enable domain experts to construct a formal model of regulation quickly from natural language text. Use of controlled natural language enables identification of incorrect interpretation of legal text—especially so if legal experts can be brought into the process for this step. A formal model of regulation is automatically validated for internal consistency and correctness with respect to the domain model, if available. The regulation model is automatically translated into machine executable specification. The facts are populated automatically from the enterprise information footprint. Use of the various automation aids not only reduces time but also reduces the level of expertise needed of people participating in the compliance checking process. Improved correctness due to use of mathematical rigor reduces the number of iterations between regulator and regulatee. Thus, our approach advances the current state of practice of compliance checking along the key dimensions of cost of compliance, level of expertise needed, and exposure to risk.
Our approach advances the current state of practice of compliance checking along the key dimensions of cost of compliance, level of expertise needed, and exposure to risk
We are discovering that our approach seems useful in several other business-critical use cases such as internal policy compliance, contracts management and analytics, controls testing, as well as risk management among others. We have conducted several PoCs on real-life regulations within the lab and are currently engaged in a real-life PoC with a leading European bank, with several more in the pipeline from customers across domains.
We think this approach can also help regulators to come up with regulations that are internally consistent, non-conflicting with standard domain models wherever available, and are implementable. We are being encouraged to approach various regulatory bodies.
At present, our approach addresses only a part of the compliance problem namely compliance checking. We intend to soon take up the remaining parts namely making compliant and staying compliant. In a sense, solution for the former serves well for the latter too. This essentially calls for: (i) identifying the change, (ii) precisely computing impact of the change, (iii) introducing the change, and (iv) validating for correctness. Clearly, deep understanding of enterprise IT systems and business processes is necessary to execute these steps effectively and efficiently. The model-based nature of our solution provides big help. The formal model of regulation is amenable to linkage to other models such as enterprise models, business process models, Unified Modeling Language (UML) models, IT infrastructure models and so on. Enhanced structure, courtesy representation in model form, enables precise computation of change and its impact rippling across the connected models. It is possible to generate just the optimal number of test cases and test data to ensure completeness of testing. Also, our solution will be change-driven, i.e., cost of compliance process will be proportional only to the changes being introduced either in regulation or in enterprise.
Modern enterprises are complex system of systems operating in highly dynamic environments that need to respond quickly to a variety of change drivers. Determining the right response is often a challenging endeavor considering the large size of the organization, its socio-technical nature, and fast business dynamics. Moreover, given the connectedness of the system of systems, it becomes imperative to check whether the change being introduced in a system leads to something being broken in other systems. The current industry practice of relying principally on human expertise for arriving at a suitable response has turned out to be inadequate. To aid the process, several enterprise modelling languages have been proposed with the intent that increased structure augmented with domain semantics will bring in mathematical rigor thus reducing current excessive dependence on human experts for analysis and synthesis. Three kinds of models seem necessary namely descriptive (Archimate, Goal models, and KAOS among others), predictive (system dynamic models, and operational research models), and prescriptive (models for regulations and policies). There is a need to link these models together, for instance, prescriptive and predictive models together are required for risk management. There is a need to refine these models continuously over time.
To address this emerging scenario, we propose a knowledge-guided, data-driven, simulation-aided, model-based, evidence-backed approach to dynamic adaptation of a complex system of systems. The model-based nature of our approach to automated regulatory compliance fits in nicely here too.
To begin with, we intend to realize this vision in spaces where the mechanistic worldview holds. However, we believe, the approach when augmented with human behavioral modelling will work equally well for socio-techno economic spaces too.
2 https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/FinancialServices/ IE_2016_FS_RegTech_is_the_new_FinTech.pdf
3 Sergot, M., Sadri, F., Kowalski, R., Kriwaczek, F., Hammond, P., and Cory,T. The British Nationality Act as a Logic Program In CACM, Vol. 29, No. 5, 1986, pp. 370–386
4 Sagar Sunkle, Deepali Kholkar, Vinay Kulkarni: Informed Active Learning to Aid Domain Experts in Modeling Compliance. EDOC 2016: 1–10.
5 Suman Roychoudhury, Sagar Sunkle, Deepali Kholkar, Vinay Kulkarni: From Natural Language to SBVR Model Authoring Using Structured English for Compliance Checking. EDOC 2017: 73–78.
6 Kholkar D., Sunkle S., Kulkarni V. (2017) Applying MDA to Rule and Data Generation for Compliance Checking. In: Cabello E., Cardoso J., Ludwig A., Maciaszek L., van Sinderen M. (eds) Software Technologies. ICSOFT 2016. Communications in Computer and Information Science, vol 743. Springer.