Apromore Senior Advisor Nigel Adams shares his views on business process compliance challenges facing financial services organizations and the benefits of applying process mining to the challenge of staying compliant.
Process Compliance Pain Points
Over the last few weeks several news items caught my eye that reflect just how challenging it is for financial services organizations to maintain process compliance.
For example a case involves a superannuation (retirement) fund [1]. A member of the fund fell victim to a scam by providing personal details that allowed a third party to request the transfer of his retirement savings to their own account. The fund refused to reimburse the member and the ombudsman sided with the fund, as the fund had met its obligations and performed basic checks before disbursement. On appeal to the Federal court, the judge found that the fund did not have the member’s consent to transfer the funds – it wasn’t the member’s signature on the withdrawal form and there was no other form of authentication.
This case highlights some of the issues financial services firms face when trying to maintain compliant processes. The scam example highlights the difficulty in interpreting obligations, what is expected of an organization and how these expectations evolve as technology and community expectations change (there was no call back or multi-factor authentication in place). Not only is it difficult to identify the compliance requirements, but time is also of the essence when it comes to recovering misdirected funds. But several other cases have highlighted how difficult it is to identify potential violations in a complex legacy environment, when the underlying processes are tangled and opaque. For example financial institutions often record numerous fee breaches per month, which may seem like a lot, but in the context of the tens of millions of bank transactions processed per month, it is very much the needle in the proverbial haystack. This also alludes to the cost of compliance – issues can start in one year, be identified a few years later, continue to be a problem, and take several more years to be fully remediated. During this time, millions of dollars may be refunded to customers (even though the institutions often were entitled to charge most of the fees), additional team members may be added, and millions of dollars may be spent on recruiting, training, and improving the processes.
At the heart of this lies the essence of the business process compliance challenge, that is the ability to:
- Identify and interpret the relevant compliance obligations, obligations that can be ambiguous, contradictory, and constantly changing.
- Translate these obligations into compliance rules that can be interpreted unambiguously by a process.
- Analyze millions of transactions and events sourced from a complex, legacy operating environment.
- Check every transaction for compliance violations, in a timely manner, preferably predicting, or even better, preventing violations, and alerting relevant stakeholders immediately.
Easier said than done.
Process Mining Compliance
This is where process mining comes in. It is a technology already used heavily in financial services as a process intelligence platform, helping organizations discover and visualize their processes, analyze process performance, and test alternative re-design options through simulation. Its strength is its ability to analyze and visualize very large datasets. This makes it a perfect fit for helping organizations to maintain compliant processes. Processes never fail at the “high level”. It is the outliers, down in the weeds, that cause the problem, which requires a technology capable of analyzing tens of millions of data events to find the needle in the haystack, not the manual sampling approach common in key control testing. By defining compliance rules as simple queries, every time the data is refreshed a complete process compliance audit of every transaction can be performed. No more sampling.
And defining compliance rule queries forces operational risk and process owners to be very clear about precisely what behavior is expected and what constitutes a violation. In and of itself, this will not address the “interpretation” issue in the superannuation fund’s case, however, many financial services’ processes rely on common controls that are defined generically and at a high level in the control register, e.g., a customer authentication control, a segregation of duties control. The controls are often interpreted differently by different risk and process owners. Translating a control into a compliance rule to be used in a compliance checking query has the advantage of forcing risk and process owners to be specific, which makes it easier to compare how a control with the same name has been implemented across different processes.
The fourth challenge is around timeliness. Some controls are so critical that they must be built into the process to be checked as it is executing, e.g., checking the availability of funds in an account before making a payment. Process mining is traditionally thought of as an analytical tool used with historical data, i.e., it is not suited to real-time compliance checking. However, refreshing an historical event log every 15 minutes means the same compliance-rule querying approach can be applied in near real time. Finding the needle within 15 minutes is a far better outcome than waiting for the customer/deceased estate to find the error several years later.
As the fourth challenge suggests, prevention is better than cure and “compliance-by-design” is a stated goal of many financial services organizations (and their regulators!). As new risks and rules are being evaluated and the relevant control and compliance rules formulated, simulating the effectiveness of the compliance rule design or change to a process, using real data to derive the distribution statistics, can help analysts test alternate configurations of controls and processes. Similarly, auditing post implementation results ensures that the original specification of operating effectiveness is being met and new threats and vulnerabilities identified, e.g., customers finding a new path through a process. In short, a full compliance lifecycle: design time compliance checking, near real-time compliance checking, and audit checking. That is the power of applying process mining to the challenge of staying compliant.
Breaking the Cycle
Testing key controls for design and operating effectiveness plays a critical role in any operational risk management framework. The manual nature of control testing, the complexity of the operating environment, the shifting sands of compliance requirements and process change, coupled with the sheer volume of transactions flowing through financial services ecosystems has made it both expensive, reactive, and subject to error. Process mining offers the potential for a far more comprehensive, timely and cost-effective approach.
Learn more about Apromore process mining for banking and financial services here.
Nigel Adams, Senior Advisor at Apromore, is a thought leader in service operations excellence, with deep experience in the banking sector. He has nearly 25 years of experience focused on creating enterprise value from operational improvement, risk management and performance optimization. Nigel is known for driving performance and transformational change at pace while leading large, multi award-winning teams in complex delivery networks. In addition to a consulting career at KPMG, he has brought his skills to bear for leading banks, including NAB and ANZ, focusing on global payments and cash operations, financial crime, and business performance.
[1] Super scammers defrauded Lee of his retirement savings. Industry experts are calling for better protections - ABC News