Compliance in the age of technology

The world is changing at pace with technology and data revolutionising the way we do business. Globalisation has increased cross-border connections between businesses, creating new complications with regard to security and control over data. Mergers and acquisitions have given rise to more complicated multi-jurisdictional organisational structures, thus, business risks have become increasingly fragmented, distributed and complex.

In responding to these challenges, compliance functions are moving from the look-back reactive risk management age, where the past dictated how firms designed their programmes, to look-ahead predictive compliance.

>See also: GDPR compliance: what organisations need to know

There is a trend towards businesses installing sensors across the business, probing, predicting and averting compliance breaches before they happen and providing superior visibility of the risk landscape.

The opportunity for change

The proliferation of data across all media, along with the explosion in our ability to capture, use and derive insight from this data is a game-changer. Everything that people do leaves a digital footprint, and using new techniques companies can combine internal and external datasets to find patterns, trends and outliers. With advances in technology delivering more computing power at a lower cost, it is now possible to automate routine processing to produce results quicker and more accurately.

All of this allows firms to produce compliance reports, regulatory checks and stress tests more often, more accurately and in higher volume than ever before. Compliance departments, as a result, have greater insight into business practices and can build predictions based on past and current data, isolating patterns and extrapolating them. They can use the quantified risk, obtained by crunching large, diverse datasets, to calibrate, calculate and manage risk better than with earlier rule-based systems.

Shaping the technological requirements

As these new possibilities open up for compliance professionals, there are many parameters and issues that need to be meticulously defined for their endeavours to be successful. At the top of the list is determining which risks to focus on, how to quantify them and how to measure success. If the business question is wrong, or the data is not chosen wisely, the old computing adage of ‘Garbage in, Garbage out’ becomes very evident.

>See also: What Brexit and Trump mean for compliance

Companies need to ensure that they embark upon this journey with forensic attention to detail, ensuring that they choose the right problem to tackle and employ the right data sources to answer their question.

They need to choose technology that has been carefully matched to their requirements and be aware of biases which might be introduced into the system inadvertently – training data that contains higher conviction rates for a certain demographic, for example, will result in an algorithm that tries to mimic this skew.

Building on firm foundations

Businesses need sound data management policies that scale with the exploding volume of data emerging from consumers and Internet of Things devices. Data mining techniques, which have traditionally worked with raw data in small quantities, will need to be updated and expanded to handle outputs from new machine learning paradigms and very large datasets. IT Infrastructure will need to be reliable and well-suited for handling large volumes of data at the speed required for the application.

Techniques to handle Unstructured Data are not deterministic, employing ‘fuzzy’ logic and inferential tools, so the outputs of these systems will need to have checks, balances and probabilistic interpretation.

>See also: Brexit confusion over MiFID II compliance

Handling personal data also requires mature data privacy policies and robust cyber security protocols to prevent loss and misuse of information. Above all, the systems will need to be transparent, accurate and fair, particularly in light of major regulatory requirements such as the EU’s General Data Protection Regulation (GDPR) coming into force in early 2018.

Deriving value from risk

Given the right level of commitment, investment and support from the c-suite and the risk-management team, this confluence of data and technology has the potential to reduce the cost of compliance. It can also provide new, easy-to-use, powerful tools for compliance professionals. Moving further, there is also the opportunity to apply other lenses to the data, potentially spotting increased efficiencies and new value propositions.

Many companies, for example, use this big-picture view with drill-down detail in targeted marketing campaigns that recognise localised trends in the data. Thus compliance, rather than just being a risk-management function, can become an enabler, continuing to protect the business but also offering tools, capabilities and insights which can inform business opportunities and strategy.

The man-machine partnership

Technology alone does not offer silver bullets. Machine learning techniques have limitations in the way data that can be handled and the problems which can be tackled. Algorithms can encode hard-to-see biases from the data used for training. There is also a real danger, while handling enormous volumes of data, of reading noise and missing the signal.

>See also: Majority of CISO’s begin prioritising GDPR compliance

The outputs produced by these new processes will often need further investigation. Paradigms and assumptions will need to be vetted, the processes will need oversight and the data as well as the outcomes will need validation. It is for this reason that humans are still central to an effective compliance function.

The new capabilities afforded by technology are enablers, not replacements for people. The heart of the compliance function will continue to be human, but compliance officers will be doing less routine work and will add more value in terms of exercising discretion, judgement and choices.

With man and machine working together, businesses can leave automatable processes to technology and use new found sensors to focus on advising the business in risk management decisions as they are taken.


Sourced by Carl Judge, partner for EY’s Fraud Investigation and Dispute Services


The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...