What is at stake?
In a challenging environment where regulatory requirements have become more stringent and controls performance are even more burdensome, automation is becoming a priority for financial institutions. This paper aims at providing a practical guide through the controls automation journey.
Over the last decade, the Compliance function within financial institutions has seen its importance grow exponentially as regulators have significantly strengthened the regulatory framework globally. The Great Recession resulted in a heighted regulatory environment and along with new regulations, financial institutions around the world have been subject to record fines of more than $320B since the 2007/2008 crisis1 driven mainly by regulators’ mandate to not only fight financial crimes but also reduce operational and conduct risks.
This complex regulatory environment has considerably increased the need for controls within banks across the world, leading them to conduct numerous and fragmented controls implementation in order to meet new controls requirements, ensure compliance with new regulations and attest to this compliance to regulators.
A shift in the way banks address controls requirements
At first, most banks tackled these new regulatory requirements through tactical approaches based on short term and specific remediation plans, which were aimed at responding to or avoiding regulatory sanctions. Those plans were driven by the need to comply with newly implemented regulations within tight mandatory deadlines. As a result, due to the absence of a long term strategy, new controls frameworks were mostly characterized by a reliance on manual processes with controls implemented separately from one another and risk assessments performed silos.
This approach is no longer sustainable as the requirements have become more stringent, leading banks to reshape the manner in which controls are designed, implemented and performed, in order to mitigate greater reputational and financial risks in case of failure.
Lately, a new trend of relying on technology based solutions has been observed among the leading players in the banking industry, with a shift from a need for controls implementation towards a need to rationalize controls processes that have been implemented. This shift gives prominence to a more holistic approach with the objective of achieving greater scalability and sustainability of improved controls while increasing the overall risk coverage. This approach will allow banks to:
- understand and optimize the existing controls performance processes in order to reduce manual workload;
- define a global organization and structure for controls performance in order to ensure additional controls can seamlessly be absorbed.
In a challenging and more regulated environment, this new approach has been enabled by the increasing maturity of technical solutions, particularly recent developments and improvements in digital technologies have generated new digital transformation opportunities and can be a solution to the exponential increase in control requirements. These improvements have enabled a more accurate digitization of physical data leading to enhanced data collection and processing, which are key for any controls process, making it possible to achieve controls automation.
How to successfully conduct controls automation
Although technology is at the foundation of controls automation and the ability to accurately digitize data is essential, it can be viewed more so as an enabler rather than a driver; technology alone cannot lead to successful and exhaustive controls automation if it is not embedded within a broader framework. A clearly defined organization and governance structure for controls are also critical in order to address the challenges of controls rationalization in a consolidated way. To that end, a controls automation framework can be approached through the following three pillars:
The automation should be driven by the implementation of a Target Operating Model that relies on a structure dedicated exclusively to controls performance and adapted to the bank’s specificities (e.g.: centralized centers of excellence at group or division level, taskforces per business line,…) and where corresponding Roles & Responsibilities have to be well established.
The automation also requires the review and optimization of existing controls performance processes and the corresponding data workflow (from data collection to hit management) within and in accordance with the framework provided by this new organization. Apart from the controls performance itself, controls substantiating, audit trail and reporting should also be taken into account in the design phase, as being able to prove the performance of the controls to the regulator has become as critical as the controls performance itself.
This process optimization can then be carried out with and supported by technology, with digitization to automate the data processing while the use of AI can facilitate the process of decision making post performance of the controls. The development and the deployment of a fully integrated tool for each type of controls, based on a single platform and user interface leveraging different technologies or systems will further support controls automation.
In summary, the success of controls automation will lie in the ability to identify and achieve the right balance between the organization defined with the involved teams (from Front Office to Back Office, but also centralized teams and Compliance) and the following steps of any controls performance process:
Once organization and processes have been clearly defined, technical solutions can be leveraged to optimize and automate the various steps of the controls process. Greater impact and efficiencies can be realized by applying the appropriate technical solutions to each phase of the controls process, such as:
- OCR (Optical Character Recognition): extraction and conversion of text from scanned documents and images into electronically editable and searchable text
- VSR (Voice/Speech Recognition): identification and conversion of spoken language into electronically editable and searchable text
- NER (Name Entity Recognition): identification and extraction of named entities from text and classification into pre-defined categories (persons, organizations, locations, etc.)
- RPA (Robotic Process Automation): automation technology based on “software robots”, which replicate the actions of a human being on a specific task, through the use of static rules
Control performance, Alerts and Hits management
- Screening and filtering tools connected to relevant databases: system comparing sets of internal static (screening) or transactional (filtering) data and lists issued by regulators in order to identify matches between both sources, raise alerts and support case management
- Controls systems’ integrated workflow to generate and allocate alerts
- Rule based expert systems: decision making system based on human-crafted rules sets and decision trees to mimic the reasoning and decision of a human operator in a predefined way
- Case based systems: system analyzing a data set composed of existing cases to understand and solve new problems by adapting previous solutions
- Data mining: automatic analysis of large quantity of data based on statistical methods to extract patterns, unusual records or dependencies
Audit trail, substantiating & reporting:
- Controls systems’ integrated workflow to record audit trail and provide modular reporting
While this form of controls automation can apply to various types of controls, it is particularly suited for Compliance controls focusing on data produced and collected externally:
- Anti-fraud Policy: prevent and investigate any involvement of customers in bribery, corruption or fraud;
- Sanctions & Embargoes: ensure all parties involved in a deal are not on sanctions and embargoes lists from local or global regulators;
- Combating the Financing of Terrorism: ensure the funds are not used to finance terrorist groups;
- Anti-Money Laundering: verify that funding sources have not come from illegal activities.
It can be adapted to various types of controls; however, close attention should be paid to deploying the appropriate technology solution for each type of controls:
What is important to keep in mind? Before launching a controls automation project, some key success factors should be considered
The business should be involved in the project from the start
Why is it important?
Lines of Business (LOBs) are the entry point of external data that needs to be controlled, therefore their role is critical. However, as controls oriented initiatives lead to reluctance, obtaining buy-in from the LoBs is often a challenge.
How can close partnership with the LOBs be achieved?
- Leverage strong project management and clear governance through senior stakeholder sponsorship to drive the LOBs towards a collaborative mindset;
- Implement an effective communication plan within a change management program to emphasize the need for controls processes rationalization (highlighting the benefits for the LOBs from a workload perspective) and to ease the adoption process.
The project should be conducted through a strong partnership with Compliance
Why is it important?
Strong decision making from Compliance is recommended in order to provide clear guidelines regarding regulatory requirements, as they determine the needs in controls and their design.
How can close partnership with Compliance be achieved?
- Involve Compliance in the design phase in order to implement regular validation steps and ensure that solutions proposed are an appropriate answer to regulatory requirements;
- Facilitate the communication between Compliance and the various stakeholders of the project in order to spread the knowledge related to regulatory requirements and maintain a regular feedback from the project managers regarding the various ongoing initiatives.
Roles and responsibilities regarding the controls performance should be identified from the start
Why is it important?
As controls performance is often shared among various operators, the understanding of the existing processes relies on the correct identification of the relevant stakeholders with the necessary knowledge.
How can this identification be achieved?
- Perform a preliminary deep dive analysis across various stakeholders (central management, operational teams) to determine the different teams involved in the controls performance processes;
- Identify potential gaps of “business” knowledge between front office teams and centralized teams, to mitigate operational risk associated to how controls are performed and hits are analyzed.
Expectations related to technology should be managed through a specific focus
Why is it important?
Technology might face potential limitations depending on the complexity of the data to be processed and the controls to be performed.
How can expectations about technology be managed?
- Perform a detailed gap assessment of what can be delivered by the selected technologies versus the business requirements;
- Leverage KPIs as a vehicle to raise awareness and communicate transparently to stakeholders at each step of the project regarding potential limitations of technical solutions being implemented.
How Headlink can help
We advise our clients through evolving risk environments as well as strategic transformation projects, notably within the compliance domain.
We can support and lead you through various compliance transformation initiatives, which include the use of advanced technical solutions, to design enhanced controls performance framework.
A controls automation program will require multiple steps in which we can support your thinking and effort:
- Diagnosing your current controls governance Framework and processes
- Benchmarking your existing technology capabilities and identifying improved technologies and solutions to support controls automation
- Designing a controls automation framework that is rightsized for your organization
- Guiding you through the implementation and execution project phases
1figures as of end of 2016, MarketWatch article: “Fed’s Dudley suggests bank execs should be on hook for regulatory fines” (March, 26 2018)