Technology: Compliance Program Asset? Liability?
A common discussion point among compliance professionals is the role of technology in enhancing the capabilities of a compliance program. While the history of reliance on technology as a compliance asset differs across industries, the consensus almost always reverts to the conclusion that more technology is better than less. But increasingly, the gap between technology as a compliance program asset and a compliance program liability is shrinking, and management of this shrinkage is dependent on the evolving skill set of compliance staff, as well as their relationships with colleagues in information technology and information security roles.
Technology can be used both reactively and proactively as a compliance program asset. A common example of reactive use of technology as a compliance program asset in the wholesale energy markets in which Direct Energy participates, is the use of trade data monitoring and surveillance to identify actual or potential violations of internal or external requirements. Other examples of reactive use of technology can take the form of surveillance of electronic communications, such as email and instant messaging. Proactive use of technology can come in the form of restrictions on the ability to transmit certain company data externally or limitations on the ability to download data into portable storage devices, such as flash drives. All of the afore mentioned uses of technology can, when deployed correctly, greatly enhance and be an asset to a compliance program by allowing the monitoring of considerably larger amounts of data that could be otherwise monitored or by proactively restricting the loss of proprietary or customer data. Indeed, the very fact that the employees are aware that such technology exists serves as a deterrent, in and of itself.
One must also recognize the limitations of technology assets in a compliance program. There is no substitute for the face-to-face working relationships between compliance program staff and commercial team members. It is the human component that must analyze the output of a trade surveillance system. It is important to remember that, just as with any asset, there are costs, both direct and indirect, to acquire, use, and maintain technology in way that positively supports compliance. While much of the cost-based focus is on the direct cost to acquire and implement a monitoring and surveillance solution, the primary challenge is identifying a solution that achieves the desired balance of direct cost and custom fit. This trade-off, if managed incorrectly, can at best devalue technology as an asset, and at worst make the technology look and feel more like a liability. More is not always better if a company cannot reasonably utilize the full capability of technology. For example, there is a fine balance between designing and calibrating a trade monitoring or email surveillance system that can be reasonably staffed and used to one that inundates the user with a wave of “false positives.” Given the potentially substantial costs to acquire and customize a monitoring and surveillance solution, there is also the challenge to design and implement a system that is nimble enough to adapt to a changing business and regulatory environment.
The range and types of costs associated with a technology-related compliance program varies greatly across industries and between companies. In the case of wholesale energy markets, a commonly encountered challenge is created by the lack of precision in regulatory prohibitions and the challenge of using technology to identify activities that might violate those prohibitions. In such cases, the result could be either inefficient use of human resources to account for the imprecision of the technology solution or the increased risk of undetected instances of potential non-compliance and the related consequences.
A separate, but equally important type of cost is the potential indirect cost associated with reputational harm created by a technology-related compliance program liability. The ripped-from-the-headlines stories of large-scale customer data privacy breaches this year alone are stark demonstrations of the reality of this cost, which has long been recognized in industries with a history of convergence of a significant reliance on technology and the maintenance of a large volume of customer data (e.g., financial services). In many other industries, this potential cost is, or is perceived to be, theoretical or even non-existent. One thing is certain: companies will need to reassess their compliance programs as reliance on technology increases.
The successful management of technology-related compliance program is dependent on the skill set of compliance staff, as well as their relationships with colleagues in Information Technology and information security roles. Front-line compliance professionals are increasingly required to utilize analytical and technical skills that historically have not been positioned within compliance teams. In many cases existing compliance team members have met this need by adding to existing skills. However, a growing trend is to staff compliance team positions with personnel with direct experience in technology-related roles. Additionally, the day-to-day working relationship between compliance and IT/IS staff continues to evolve as the convergence between compliance and technology strengthens. A significant result of this evolving relationship is the inclusion of compliance staff in decisions regarding technology program deployments and modifications at an early stage in those processes.
When assessing the costs of implementing technology in a compliance program, a company is also faced with the challenge of perception. If a company fails to deploy available technology and later has some form of improper activity or a data breach that might have been detected or prevented, will that company then be found to have an ineffective compliance program? Will a regulator or the courts take into account the fine balance between the costs of a program and the relative benefits? Managing those expectations is a considerable challenge, particularly when the company has to predict the future and the critics have the benefit of hindsight.
How well an entity deploys technology in its compliance program determines whether the technology is an asset or a liability. Deployed correctly, technology can significantly enhance a compliance program. Done incorrectly, it can drive a company to incur significant costs either through investment that yielded comparatively little benefit or increased penalties or assessments for the failure of the company to either deploy available technology or, if deployed, use it correctly.