Imagine you have someone on your team responsible for scanning every applicable rule and regulation that your organization is obliged to follow daily. Every morning, they hand you a brief that tells you the actions you need to do to remain compliant, redlining what has changed since the last time the rule was updated. What's more, they can also tell you how you are currently exposed by not being compliant.
It’s helpful, but not sustainable or an effective use of someone’s time. But suppose that such a person's brain could be replicated so that skill and knowledge could be distilled into a machine. Welcome to the world of RegTech—Regulatory Technology—one of the fastest-growing applications of artificial intelligence (AI) with a billion-dollar market just waiting to be developed.
AI and Other Buzzwords
It seems that everywhere you look these days, someone is talking about AI. But what does AI mean, and how does that help you as a governance, risk, and compliance (GRC) professional?
First off, you need to understand that the phrase AI is a catch-all term for many different computer processes that exhibit some degree of human-like characteristics. These characteristics are usually highly specific, such as being able to interpret meaning from written or spoken words (natural language processing NLP); being able to see and recognize objects (computer vision CV), or being able to learn how to spot patterns in data (machine learning ML). Equipped with these skills, machines can be used to do all manner of actions that were once thought to be the preservation of humans, such as driving a car, flying a helicopter on Mars, or suggesting which new show to watch on Netflix.
RegTech primarily uses a combination of machine learning and natural language processing to automate the review and assessment of regulations to determine what applies to a specific organization. One such system is Ascent whose proprietary software can be used to begin automating your organization's regulatory system with a simple online questionnaire. We asked Brian Clark, founder of Ascent and regulator-turned-compliance officer to join us on LogicGate’s podcast, GRC & Me, to tell us more about how RegTech is changing, and improving the way GRC professionals do their jobs.
Cutting Through the Noise
Up to 65% of all regulatory documentation consists of context and explanatory notes. The remaining 35% constitutes the actual obligations that are applicable. But of course, not every obligation is relevant to every organization, or even every aspect of an organization. Some elements will only apply to a specific jurisdiction or at a particular time.
Using traditional manual techniques to scan regulations looking for the applicable sections, and then deciding where and when they apply, is time-consuming and labor-intensive. What's more, it is prone to human error.
Brian shared, “I would wake up at 4 AM wondering what I had missed.”
Such concerns are not uncommon across the GRC profession. Current data gathering techniques mean that GRC professionals can spend significant amounts of time obtaining lots of data to achieve insights, which can produce some unpleasant results.
Brian explained, “When GRC professionals have insights into just data, two things happen. First, you make more work for people because they've got to go through everything. Second, you can increase people's liability because you're giving them all this stuff that they don't have the time to review.”
This is where RegTech comes in. By taking each regulation and contextually analyzing it, the software can discern the obligations from all the other words in the document. It knows how to do this because people have trained the algorithms to look for patterns in written documents that usually represent the obligations. The result of this training is an optimized algorithm that is very good at pulling out the obligations from within any regulation it is told to review.
Having a comprehensive list of obligations is great, but how do you know which ones apply specifically to your organization at this time and in this jurisdiction? This is where the second aspect of the RegTech equation comes into play. By obtaining data about your organization through online questionnaires, the software is intelligent enough to understand how your company's requirements align with the obligations.
The output from this two-stage approach is a detailed set of specifically identified obligations for the GRC professional to review and decide on the most appropriate way to implement. The critical thing to realize is that what could have previously taken many hundreds of hours to read and assimilate can now be achieved by RegTech software like Ascent in under three minutes.
Eliminating Human Error
One case study exemplifies how RegTech is disrupting the financial regulatory industry spectacularly. In a landmark case study, the Commonwealth Bank of Canada and ING bank collaborated with Ascent under the watchful eye of the UK's Financial Conduct Authority (FCA). This project identifies the banks' obligations under two new European regulations, MiFID II and MiFIR (Market in Financial Instruments Directive, and Markets in Financial Instruments).
When undertaking a manual mapping of new regulations like these in the past, the banks would typically invest approximately 1,800 hours of human effort.
By taking the same data set and processing it through Ascent, the software generated an equivalent review and analysis in 2.5 minutes. It is estimated that the potential time saving for using RegTech on problems like this can be up to 49% per compliance officer per year.
Brian Clark said, “What was interesting about it is we actually found errors which the regulators had made.”
It turns out that the data Ascent analyzed had accumulated some errors along the way, which, by virtue of its complexity, the regulator had not been able to discern. By ensuring that the data was clean and automatically analyzed comprehensively and consistently, the RegTech software provided this valuable feedback to the regulator.
The End of the GRC Professional?
Is it possible that continued developments with AI will displace the GRC professional?
Brian doesn’t think so: “Where people used to generate some piece of knowledge, the machines are now helping people to do that. It doesn't mean we get rid of people. The people are more important than ever. This technology allows people to unlock their potential and focus their time on different activities.”
By automating some aspects of compliance through RegTech, it is now possible for a comprehensive bottom-up approach to evaluating the complete legislative frameworks within which an organization operates. For multinational corporations, this includes the various country regulations within which the organization conducts its business. While machines can generate knowledge, human GRC professionals will always be required to interpret that knowledge and apply it appropriately, balancing the risks and the opportunities of regulations to drive value.
Brian concluded, “30 years ago, professionals just wanted data. Then during the last decade, professionals wanted insight. Now GRC professionals are asking, ‘How do I eliminate all that and actually generate the knowledge I need to do my job?’ So we are just moving down that evolutionary chain.”
While the end of the compliance officer is not yet in sight, it is a safe bet that more organizations will be adopting RegTech in the near future, and we will soon be seeing more GRC professional roles being augmented by these clever machines.
To hear what else Brian has to say about RegTech, you can listen to the full GRC & Me episode here. Learn more about LogicGate’s Risk Cloud and our Regulatory Compliance Powered by Ascent Application.