Corporates cannot afford to manage compliance in isolation. With the globalization of supply chains, entering new markets and working with unfamiliar partners can introduce major risks for the enterprise. At the same time, managing compliance — not only across an organization, but across all its partners and vendors — has overloaded some compliance departments that still continue to rely on spreadsheets.
This is the context in which the regulatory technology (RegTech) boom has emerged, with KPMG estimating that one-third of all regulatory spending will be on RegTech solutions by 2020. The first half of 2018 saw $1.37 billion in RegTech investments, more than the entire year of 2017, KPMG noted in a recent report.
Undoubtedly, data is a critical component of corporates' ability to digitize, automate and enhance their compliance efforts. Yet, despite the surge in compliance technology innovation, many organizations continue to rely on legacy solutions to conduce due diligence and avoid regulatory fines. According to compliance technology firm GAN Integrity, that problem can be chocked up to the fact that — unlike finance departments with their accounting and enterprise resource planning (ERP) systems, and unlike sales teams with their customer relationship management (CRM) software — compliance teams often lack a digital tool to centralize data.
"Finance has accounting and ERP systems. HR has HR systems. Sales has Salesforce. All of these departments have a system of record," said GAN Integrity VP of Marketing Adam Kaiser in a recent interview with PYMNTS. "There hasn't really been a compliance system of record."
What makes that system of record so valuable, he continued, is data, and a system's ability to collect data across systems and between business partners, whether they be vendors, service providers or merger targets.
Today, even for some multibillion dollar organizations, Kaiser described the compliance management landscape as "messy," fraught with paper, emailed correspondence and spreadsheets. With so much data necessary to adequately conduct due diligence and assess the risk of a third party, this reliance on outdated procedures means many compliance teams are forced to wait until something bad happens to take action.
Non-compliance fines today reach into the billions of dollars, with companies often sanctioned for the actions not of themselves, but of their partners.
Take U.K. banking giant Lloyds Bank, for example. The financial institution (FI) continues to face fallout from reported fraud occurring at another financial institution, HBOS. Lloyds is on the hook for the allegations, however, because it acquired the company in 2009. It wasn't until 2013, though, that a whistleblower came forward with the claims.
Then there's Facebook, the social media giant fined $1.6 billion last October by U.K. authorities for the misuse of its data from a third party, Cambridge Analytica. Under Europe's new Global Data Protection Regulation (GDPR), the fines could have been much higher, regulators warned.
The evolution of regulations like GDPR is adding pressure on companies' compliance practices, and their ability to mitigate the compliance risks that third parties bring to the table, noted Kaiser.
"One major issue is vendor data security and GDPR," he said, "working with third parties that are data collectors, that have access to confidential data of yours. If you're not keeping an eye on those third parties, that can also be an issue for you."
Along with RegTech, some other emerging buzzwords in the corporate compliance landscape today are technologies like artificial intelligence (AI) and machine learning (ML). Regardless of the tool being used, data has quickly moved into the focal point of these solutions, not only in maintaining compliance as it relates to the use and security of data, but using data to actually maintain compliance.
Kaiser emphasized the importance of compliance teams being able to aggregate the data they need, and to standardize it into a single portal to be most effective. When the cyber risk of a denial-of-service (DoS) attack emerges, compliance teams need data on demand to monitor that risk on a consistent basis, and to develop a monthly plan of how to mitigate that risk and maintain compliance.
When a company expands into a new market by working with an unfamiliar vendor, that firm must be able to aggregate the necessary data on its partner to maintain compliance. Having that digital data in a central location with access on demand also means companies can more quickly find the information regulators are looking for, if inquired, about possible non-compliance.
The billions of dollars in fines levied against corporates around the globe by regulators are expected to increase in value over the years ahead. Beyond avoiding financial losses, the repetitional damage linked to non-compliance is often immeasurable.
Kaiser said corporates must understand the ethics of how they're operating, as well as take a proactive stance with their compliance efforts. As RegTech continues to innovate, data will remain at the heart of these efforts.
"Having a platform to organize [that data] into one place gives companies a single repository," he said. "It standardizes that data, and they can make more accurate decisions and offer that data to regulators if something goes awry. Having digital data is certainly critical to that. Those tools can communicate better, and can offer a better sense of what's going on with the business."