How to Best Use Data to Manage Your Organization’s
Compliance Obligations

Guy Underwood, RMIA
March 2020

Organizations and those tasked within the organization to manage its compliance obligations
continue to face an ever-increasing number of legislative and regulatory requirements to ensure they
operate in line with regulators and the community’s expectations. From managing compliance
obligations relating to legislation addressing terrorism and money laundering (such as the PATRIOT
Act in the US or AML/CTF Act in Australia) through to those involved in managing complex
international supply chains (including the Modern Day Slavery Act in the UK and the Prevention of
Corruption Act in Singapore), organizations must ensure their compliance programs are sufficiently
robust and implemented accordingly.

Data plays a key role in any effective compliance program. However, it also presents numerous
problems to organizations – including:

  • Is the data the right data to meet the necessary regulatory requirements?
  • Is the data set all the data that exists in relation to that particular area of concern?
  • Is the data up to date and current?
  • How is the data protected from external parties, including hackers and criminals?

Even if an organization manages to properly address those problems, it still faces a significant risk –
that of information overload.

Over the course of the last 30 years, I have worked with organizations whom I would describe as
being “data rich/intelligence poor”. By that I mean that the organization has access to large volumes
of data but has failed to get the best value out of that data. For example, data collated as part of a
Know Your Customer program may have value from a customer relationship management
perspective, yet often this information is not shared across the organization due to a lack of
understanding of that value. In addition, the sheer volume of data being presented to an organization
may overwhelm compliance and other staff, leading to a failure to identify trends and patterns in a
timely fashion.

To best illustrate this issue, consider the data collected by an organization with respect to its Know
Your Customer (KYC), Know Your Employee (KYE) and/or Know Your Supplier (KYS) programs.
This data includes information regarding sanction status; Politically Exposed Persons (PEP);
criminal history; adverse media; and ID verification. Aside from the volume of data that is generated
from these types of enquiries, often there are time imperatives as organizations seek to meet their
SLA’s and compliance obligations with respect to customer onboarding, transaction monitoring etc.
Ensuring timely analysis of this large body of data can be difficult if the organization hasn’t properly
engaged with its data providers.

Best practice dictates that a Statement of Work between an organization and its data provider should
include definitively agreeing the data sets to be supplied and the prioritization of that data to meet
the organization’s operational and compliance requirements. The prioritization of the data has
significant potential to positively impact an organization’s compliance program from a number of
perspectives:

  1. Relevance – by ensuring that data is delivered ranked in accordance with the relevance to the
    underlying requirement for that data is important in ensuring that compliance officers are
    only focussing on the material they need to. For example, an adverse media article relating to
    a supplier failing to use recyclable plastic bags may not as relevant to an organization as an
    article about to that same supplier relating to its directors having been accused by a regulator
    of fraud or misconduct.
  2. Risk – the use of a risk rating will ensure an organization receives data from its provider in
    order of priority, allowing compliance and risk officers to address “hits” that may place the
    organization in a compromised position with respect to its legal and/or regulatory obligations.
    For example, a financial institution would need to know as soon as practicable if it has hired
    a senior executive who is considered a PEP or if it trades with a country or an entity that is
    subject of sanctions. If those adverse results were contained amongst hundreds of search
    results returned overnight, they may not come to the attention of the relevant compliance
    professionals until too late.

The good news for organizations and their compliance officers is that improvements in technology
and data sources means they now have the opportunity to customize their searches and results
delivery in a way that was previously not possible. However, the onus is on organizations to ensure
that they engage in open and frank discussions with their data providers to ensure those benefits
deliver the relevant improvements in their compliance obligations.

About the Author:

Guy sits on the Vital4 advisory board and is a fraud and risk management expert that has been involved in the areas of compliance and risk management for over 20 years. He developed a fraud risk management methodology based on the framework of IS0 31000:2009, Risk Management. In 2002, Guy founded RISQ Group, a professional services firm in the APAC region providing background screening, growing the organization of over 150 people across 6 countries. Risq group was acquired by Sterling Talent Solutions in 2016.