In their own ways, banks and other financial institutions have managed to cope with the varying regulatory burdens imposed over the last decade. Yet the imminent arrival of the European Union’s General Data Protection Regulation (GDPR), which comes into force on 25 May; calls for more innovative approaches, given its scale and reach.
Its provisions cover the personally identifiable data of any European Union or British citizen and are very prescriptive, with penalties for infringement that could amount to four per cent of group global revenue. It is hardly surprising, then, that Fortune 500 organisations are reported to have spent $7.8 billion on GDPR compliance work so far.
The growing weight of regulation
The challenges of GDPR are piling up like huge falls of fresh snow on the glaciers of Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. The collective weight of these requirements is multiplied by the infamously disjointed IT systems that banks and financial institutions have accumulated through a long history of mergers and acquisitions.
Without the power of automation, compliance in this landscape of multiple pitfalls is at the very least, hazardous. Consider for example, how GDPR confers the right to be forgotten. Any citizen, or their lawyer, can request that any bank or institution destroys or hands over all data it holds that could identify them personally. This is a perpetual right that requires constant monitoring of incoming requests.
Laying hands on all the data on a single individual who may have multiple current accounts, savings accounts, mortgages, credit and debit cards is never going to be easy for any institution.
Many businesses simply will not have the resources once these rights are publicised and consumers start using them. Compliance is after all, a continual process and not an annual validation with a certificate. It requires an organisation constantly to check all its data against consent and revocation databases in order to establish whether there is any right to retain it.
RPA excels at the time-consuming, repetitive work
What a relief then, that robotic process automation (RPA) eliminates this incredible drudgery, making the whole process easier, faster, cheaper and more accurate than is possible with the skills of back-office staff.
>See also: Can smaller companies manage with GDPR?
A software robot becomes a virtual compliance officer of immense ability, capable of penetrating into the furthest recesses of any set of disparate systems so it can examine and retrieve information just as any skilled member of staff would, but with much greater efficiency. From this data-labyrinth, RPA robots can provide the single version of the truth that is required, but at a speed, scale and level of security that humans simply cannot achieve.
RPA targets crucial aspects of GDPR compliance
RPA is immensely effective in two very important aspects of GDPR compliance. The first is cleansing data by regularly purging what should not kept in a database. The second is through the automation of processes around customer consent, which is one of the most essential GDPR requirements. To facilitate this, organisations can deploy RPA to provide customers with a portal where they can log in to obtain a unified, single view of all data referring to them. Once consent for its retention and use is obtained, the technology can monitor how this information is employed and raise a red flag when non-compliant activity is likely.
Should data be used without consent, or a security breach occur, RPA will automatically inform the customer, ensuring one vital aspect of GDPR compliance is achieved. It is worth remembering that regulators view non-compliant handling or security breaches with near-equal seriousness and the indications are that any failure to immediately inform data-subjects of these occurrences will result in stiffer penalties.
Fortunately, audit and reporting are in-built into RPA, since each action undertaken by software robots is logged centrally where it can be monitored and updated in relation to new rulings or regulatory directives. Strict access controls, the integration of advanced data protection technologies and encryption, all take security to the highest level possible.
Low impact, low cost, RPA is highly efficient
Even before GDPR comes into force, RPA technology has proven its worth in compliance many times over. One of its great advantages is that robots can execute regulatory tasks when they are not fulfilling their other routine, but complex assignments. Being easily configurable, robots can be oriented to work on the various regulatory aspects with minimal impact.
Compare this with the alternatives which are either resource-intensive manual processing or major IT schemes such as master data management (MDM) projects which consume substantial amounts of cash and take a great deal of time to implement.
RPA also has one very significant advantage over technologies such as machine learning – it does not in any way alter the data, nor in the process of retrieving and presenting it, does it retain anything, which is one of GDPR’s basic requirements. It is mechanistic and deterministic and far more appropriate to compliance-related tasks than machine learning-based solutions. RPA is also very much at home with the kind of green-screen legacy technology that some financial institutions may still operate.
Outsourcing of RPA makes sense
As RPA develops and more organisations understand how it delivers massive efficiency gains in relation to compliance, provision will inevitably move into the outsourcing sector. This makes sense when deadlines are tight and budgets under close scrutiny. If institutions understand the gains of outsourcing payroll and human resources they will certainly see the business advantages of accessing robotised compliance functions in a similar way.
Given their existing business relationships, it is almost certain that outsourcers or systems integrators will deploy utility-like platforms which will still-further broaden the types of organisations using RPA.
Yet whether outsourced or on-premises, RPA is playing a key role in meeting the ever-weightier demands placed on financial institutions by the regulators. Should institutions choose to neglect RPA, they risk very high costs and the potentially bombshell impact of compliance failures.
Sourced by Venu Kannan, chief solutions officer, UiPath
As the one month countdown to GDPR approaches, Information Age will host a compelling webinar with Trend Micro on April 25th, which will discuss the path to compliance, the steps your organisation needs to take to ensure it is ready for the change and the opportunities that will arise from compliance. Register here today!