READ
Risk & Compliance

Digitising the compliance function – Data-driven compliance 

In the first article in this series, ‘Digitising the compliance function’, we looked at the different types of RegTech and what it takes to implement RegTech successfully. In this article, we take a closer look at data. Indeed, ensuring good quality data is crucial for financial institutions. Especially if they have digitised (part of) their operations. Consider, for example, the compliance function, where compliance officers are supported by RegTech tools to perform and record their work. Data-driven compliance should be the starting point if you want to use supporting RegTech tools efficiently and effectively.  

But what exactly is data-driven compliance, and how can you make the compliance function within your financial institution data-driven? In this article, we explain why it is important to take this step now, not next year (or the year after).  

Date:October 4, 2022

What is data-driven compliance?  

Data-driven compliance is an increasingly popular buzzword. This is not surprising, as data-driven compliance has a lot to offer financial institutions. In practice, ‘compliance’ is mainly about managing compliance risk in the broadest sense of the word. Data-driven’ refers to the use of (lots of) data to monitor, demonstrate and (proactively) control (non-compliance) within an organisation. 

Data-driven compliance aims to take a data-centric and holistic approach to compliance. The essence of data-driven compliance is to avoid the familiar siloed approach and to use aggregated data at an organisational level to provide insights across the organisation. This is because “much of the complexity and effort required to verify compliance with laws and regulations comes from working in compliance silos” [1].  

When financial institutions let the data lead, this complexity can be reduced and the institution will be in better control. The organisation, and in particular the compliance department, will no longer be driven by different topics (e.g. AML, GDPR, private transactions) carried out or handled by different compliance experts (“silo structure”), but by the insight and overview created by analysing data from different angles (e.g. data from different departments). In short, (combined) data as a driving force to be constantly ‘in control’. “Managing and properly integrating different risk data streams can lead to cost savings, more efficient risk assessments and the identification of new, unforeseen risks [2]”. Linking data sources and analysing this combined data provides a greater focus on new and previously unseen risks. 

What data are we talking about?  

When we talk about data-driven compliance, what exactly do we mean by data? Data is information in binary form that can be processed or moved digitally [3]. The transfer or processing of data is done using digital technologies. These technologies, combined with data analytics, can be used to profile, track and mitigate associated risks (such as fraud, money laundering or terrorism) to malicious prospects or customers. In short, data has the potential to efficiently ensure a financial institution’s level of compliance.  

What is data-driven compliance?  

At the heart of data-driven compliance is data-driven auditing and monitoring of, for example, transactions, processes and communications. It makes ‘risk-based’ monitoring more objective and takes compliance to the next level. Integration is incredibly important. Until now, data analytics has been seen as an add-on to regular work, whereas it should be the foundation of risk management within an organisation. Data analytics can be used to link disparate data sources in inventive ways. Compliance data, security incidents, news reports and the effectiveness of control measures can be linked together to provide key strategic insights and integrated views. 

From a ‘detecting’ to a ‘predicting’ compliance function  

Data-driven compliance can bring about a shift from a ‘detecting’ compliance function to a ‘predicting’ compliance function. The compliance function will increasingly act on predicted activity, rather than reacting to past events. Such an efficient and focused way of working will also allow more attention to be paid to ‘infrequent future compliance risk scenarios with a potentially high impact’. Financial institutions often focus (only) on the known risks, leaving (too) little attention and time for the unknown important risks. The focus should be on the tail of a normal distribution. The risks with the highest probability – the middle of the normal distribution – are known and existing controls are designed accordingly. It is in the tails (on either side) that the danger lies. The risks in the left tail of the normal distribution have a potentially low impact. Here, data can optimise the identification of existing low risks, leading to cost savings. The right tail – the risks that are small but have potentially infinite impact – should receive more attention. By using a lot of data, the unknown can be made transparent [2].

Requirements for data-driven compliance  

There are a number of prerequisites to transforming the compliance function into a data-driven mindset and operation:  

  • First, the financial institution should develop and implement an overarching control framework with an integrated approach from a data perspective.  
  • Second, the gap between IT and compliance needs to be narrowed. In practice, this gap is widening rather than narrowing as IT continues to evolve, but compliance staff often do not (sufficiently) evolve with IT.  
  • Third, the silo or island culture within the compliance function needs to be broken. Data analysis should include the whole context and not the ‘tunnel vision’ of specific compliance issues.  
  • Fourth, the financial institution should have a sufficient number of appropriately trained and experienced staff. A wide range of skills is required to properly secure, scan, index, search, store, organise, distribute and process data, and to clearly visualise and communicate the results of data analysis. Multidisciplinary teams are the key, as all these skills often cannot be found in one person. As a compliance officer, it is therefore advisable to familiarise yourself with the techniques available to make your job as a compliance officer more efficient and effective.  
  • Fifth, a financial institution needs to be decisive about its data – and especially its quantity. More data does not mean better quality, but often worse quality. At some point, more data leads to noise, which leads to worse data.  
  • Sixth, a financial institution should place the use of technology within the overall strategy of the organisation – and not see it as an add-on. “Place the use of technology within a larger strategy: Even if the data analysis is done correctly, and the results are interpreted correctly and then communicated, the exercise becomes meaningless if there is no robust implementation/operationalisation of the results [3].  
  • Finally, the associated risks must be well managed. Both the use of data itself and the transition from a ‘normal’ compliance function to a ‘data-driven’ compliance function may involve different (types of) risks. For example, data can be misinterpreted or misanalysed, with all the consequences that this entails. Or, in the transition process to a data-driven compliance function, changes (internal and/or external) may not be properly managed, resulting in people or systems failing to meet expectations. Such risks should be identified in advance and properly managed at all times. 

Want to know more?

Want to learn more about digitising the compliance function? Then check out the other articles in this series:  

Curious about data-driven compliance in practice? In the Ministry of Compliance’s DSI Compliance Professional course, you will learn what steps a financial organisation should take to move towards data-driven compliance. In addition, Projective Group can help you make your compliance function more efficient and data-driven. Please feel free to contact us.