Exclusive! Paradigm Shift in IT Continuous Compliance

Getting your Trinity Audio player ready...

In today’s fast-paced digital landscape, ensuring IT operational excellence is synonymous with robust security. Organisations increasingly recognise the critical need to fortify their security postures to meet industry requirements and comply with regulatory standards. However, amidst the chaos of addressing immediate security challenges, integrating Governance and Compliance into the mix presents a formidable challenge.

The problem lies in harmonising security, governance, and compliance efforts. Industry demands continuously push for robust security measures, while regulatory bodies stress the significance of compliant systems. The ideal scenario would be that a strong security posture implies a high level of governance compliance. However, achieving this alignment is often complex and elusive.

One key aspect contributing to the prolonged duration of compliance and governance discord is the presence of common issues such as untimely submissions, manual data collection, error-prone processes, challenges with multi-region compliance, and template-based submissions.

These issues highlight the need for a proactive approach to compliance, emphasising continuous compliance, reusability of evidence for multiple submissions, efficiency in collaboration, and quantifying compliance for qualitative clauses.

Industry thought leaders who have successfully navigated this landscape offer invaluable insights and strategies for achieving both security and compliance goals. Future-proofing organisations involve leveraging existing resources and learning from others’ accomplishments. The mantra of Sustain-Build-Buy guides organisations in ensuring a robust security posture while adapting to evolving compliance requirements.

Further, incorporating Generative AI can significantly enhance IT teams’ capabilities in effectively addressing compliance challenges. By harnessing the power of AI, organisations can streamline compliance processes, optimise resource usage, and stay ahead of potential security threats.

The synergy between security, governance and compliance is essential for achieving IT operational excellence. By learning from industry leaders, adopting a proactive approach to compliance, and leveraging emerging technologies like Generative AI, organisations can navigate the complexities of security and compliance with confidence.

The OpenGov Breakfast Insight on 28 May 2024 at the Equarius Hotel Singapore convened industry leaders, IT professionals and regulatory experts to explore innovative strategies and best practices. The event encompassed regulatory compliance, risk management, and governance departments, focusing on automation technologies for future-proofing IT governance and compliance.

Participants gained insights into trends and technologies shaping IT governance and compliance, learned how automation could streamline processes and ensure compliance and had networking opportunities with peers and experts.

Opening Remarks

Mohit Sagar, CEO and Editor-in-Chief at OpenGov Asia, acknowledges that ongoing conflicts and geopolitical tensions characterise the current global landscape and compel individuals and governments to adapt to shifting realities.

These complex dynamics force people to take positions while also necessitating governments to reassess policies and diplomatic stances. Amidst this volatile and precarious backdrop, the theme of adaptability emerges as paramount, particularly in the realm of IT compliance.

“Geopolitical tensions, such as those seen in conflict zones, can have profound implications for data security, trade relations and legal requirements,” Mohit elaborates.“In an era where technology is virtually a part of every aspect of modern life, businesses and organisations must navigate a constantly evolving regulatory environment and be aware of emerging security threats.”

Singapore consistently ranks at the top of ASEAN countries in terms of IT compliance and cybersecurity readiness. Its stringent rules, coupled with proactive measures, contribute to its leadership position in the region.

Mohit explains that Singapore has established comprehensive regulations to govern IT compliance, primarily overseen by the Monetary Authority of Singapore (MAS) and the Personal Data Protection Commission (PDPC). The Technology Risk Management Guidelines for BFSI, the Personal Data Protection Act (PDPA), and the Cybersecurity Act (2018) are other key regulations in place.

However, the compliance landscape in Singapore is undergoing significant changes driven by regulatory updates and technological advancements. There is a growing emphasis on cybersecurity and data protection regulations, with authorities implementing stricter requirements to safeguard sensitive information.

Compliance has always been a challenging task faced by most institutions due to the evolving regulatory landscape, complex technological environments, and the need to balance security requirements with business objectives. To navigate this challenging landscape, Mohit suggests organisations should consider the following strategies:

1. Stay Informed: Keep abreast of regulatory changes and updates relevant to the industry and geographical location. Regularly review regulatory guidelines and increased security requirements to ensure compliance with applicable laws and standards.
2. Engage with Regulators: Maintain open communication channels with regulatory authorities and seek guidance when needed. Proactively engage with regulators or auditors to address compliance concerns and demonstrate a commitment to compliance excellence.
3. Compliance Framework: Enhance the existing framework tailored to the organisation’s specific needs and requirements. Define clear policies, procedures, and controls to address regulatory requirements and mitigate compliance risks effectively.
4. Risk Assessment: Conduct thorough risk assessments to identify potential compliance gaps within the organisation. Assess the impact of non-compliance and prioritise mitigation efforts based on risk severity.
5. Technology Solutions: Leverage automated governance and compliance platforms instead of disconnected, template-based solutions. Streamline compliance processes and consolidate evidence management to enhance data accuracy, facilitate timely reporting, and make decisions, thereby reducing operational costs.

Looking ahead, exciting trends emerge that promise to reshape the compliance landscape. The rise of Reg-Tech solutions and collaborative ecosystems heralds a new era of continuous compliance. By embracing these future trends, organisations can stay ahead of regulatory changes and significantly reduce operational costs in an increasingly digital world.

Singapore is poised to embrace emerging technologies such as artificial intelligence (AI), blockchain, and the Internet of Things (IoT). According to a study by the Infocomm Media Development Authority (IMDA), the nation aims to become a leading global hub for AI by 2030, with an expected 11% increase in GDP driven by AI adoption.

As organisations increasingly leverage these technologies to drive innovation and efficiency, IT compliance frameworks will need to evolve to address the unique regulatory challenges they pose.

“As we consider integrating automation into compliance frameworks, it’s essential to recognise both the challenges and opportunities it presents,” Mohit states. “While automation streamlines processes and improves data accuracy, organisations must navigate complexities such as integration with existing infrastructure, evolving regulatory requirements, and data privacy and security concerns”

However, by overcoming these challenges, businesses can unlock significant opportunities for innovation and efficiency. It will allow organisations to allocate resources more efficiently to tackle other challenges that their companies are facing instead of focusing on one problem all the time.

“The evolving landscape of IT compliance in Singapore and globally necessitates a proactive approach to regulatory compliance and risk management,” Mohit says.“ But by staying informed, engaging with regulators, enhancing compliance frameworks, conducting thorough risk assessments and leveraging technology solutions, organisations can navigate the complex regulatory environment and emerging security threats while positioning themselves for success in the digital economy.”

Welcome Address

David Chan, Managing Director of Adnovum acknowledges the challenges of aligning a robust security posture with regulatory compliance, noting that while these aspects are interdependent, they serve distinct purposes. A robust security posture is essential for safeguarding sensitive data and critical assets, whereas compliance with regulatory requirements is mandatory for organisations handling such information.

However, while a strong security posture can contribute to compliance, it does not always directly correlate with a high score on governance compliance. This is because compliance involves adherence to specific laws, rules, or industry standards, which may not necessarily be directly related to the strength of an organisation’s security measures.

“For instance, an organisation with a robust security posture might still struggle with compliance if it lacks the necessary policies, procedures, or documentation to demonstrate compliance with regulatory requirements,” David elaborates. “Conversely, an organisation with a weak security posture might still be compliant if it has implemented the necessary measures to meet regulatory standards, but these measures may not be effective in preventing or responding to security incidents.”

To achieve alignment between security posture and compliance, David encourages organisations to take a holistic perspective that addresses both aspects. This includes implementing robust security measures, conducting regular risk assessments and ensuring security practices align with regulatory requirements.

A comprehensive approach to cybersecurity involves more than just implementing technical controls; it encompasses organisational policies, processes, and practices. A robust security stance requires proactive measures to prevent unauthorised access, detect and respond to security incidents, and recover from breaches effectively.

David believes that organisations should prioritise continuous monitoring and improvement of their security posture and compliance status to stay practical and up-to-date amidst evolving threats and regulatory changes.

Selecting the right compliance framework is also crucial for firms aiming to enhance their security posture. This involves identifying the regulatory requirements and industry standards relevant to the organisation’s operations and the type of data it handles.

“Adopting a suitable compliance framework provides a structured approach to security governance, ensuring alignment with regulatory demands and industry best practices,” he says.

Once a compliance framework is chosen, companies must map the specific compliance criteria to the relevant security controls. This involves determining the security measures and activities needed to meet the regulatory requirements of the chosen framework.

For example, GDPR mandates data encryption, access controls, and breach notification protocols. By aligning compliance criteria with security controls, companies can establish a clear pathway for implementing and maintaining the necessary security measures to achieve compliance.

Moreover, creating a customised security strategy involves tailoring security measures and processes to address the organisation’s unique threats and challenges. This process starts with a thorough assessment of the current security posture, identifying strengths, weaknesses, and areas for improvement. Based on this assessment, businesses can effectively prioritise efforts and allocate resources to address the most critical security risks.

“A personalised security strategy incorporates a range of measures, including technical controls, policies and procedures, personnel training, and incident response preparation,” David concludes. “By adopting a customised security strategy, organisations can enhance their overall security posture and effectively manage risks.”

Power Talk

Vincent Chong, Deputy Director of Data Technology and Architecture at the Monetary Authority of Singapore (MAS) acknowledges that Singapore’s IT compliance framework, renowned for its robustness and proactive stance on cybersecurity, is crucial in the country’s dynamic business environment. The framework is continuously monitored and adjusted to keep pace with the changing environment.

In this constantly evolving digital landscape, organisations must adapt and future-proof themselves by leveraging resources and learning from others. This involves studying compliance and security practices to stay ahead of emerging threats and regulatory shifts.

Organisations can emulate successful approaches used by others in managing IT compliance, such as real-time monitoring of regulatory changes and centralised compliance management, which have proven effective in ensuring robust security measures. Seeking guidance from industry experts who have navigated Singapore’s regulatory environment can provide valuable insights, enabling organisations to maintain competitiveness and security amidst rapid technological and regulatory changes.

Vincent emphasises the importance of focusing on critical areas to ensure compliance. These include adherence to policies and procedures, risk management, internal controls and employee training and awareness. Regular monitoring and auditing, continuous improvement, dedicated compliance teams, transparent reporting channels, defined compliance metrics and KPIs, and integration into the organisation’s governance structure are essential for ensuring compliance.

In Singapore, the compliance landscape for the Financial Sector Industry (FSI) and government initiatives are evolving to sustain the growth and development of the sector. The Monetary Authority of Singapore (MAS) plays a crucial regulatory role, implementing initiatives aimed at nurturing a robust and resilient financial system.

Compliance ensures financial institutions adhere to regulatory requirements and maintain high governance and risk management standards. This includes implementing adequate internal controls, conducting regular risk assessments, and maintaining sufficient capital and liquidity buffers. The MAS also monitors the financial sector for potential risks and takes measures, such as implementing stress tests and scenario analysis, to mitigate them.

The Singapore government has introduced various schemes to support the growth of the financial sector. For example, the Financial Sector Incentive (FSI) Scheme provides tax incentives to licensed financial institutions, including fund managers, to encourage them to establish and operate in Singapore, enhancing its status as an economic hub.

To support financial institutions’ compliance efforts, the MAS has established various frameworks and guidelines that financial institutions must adhere to, such as risk management and internal audits. Additionally, the MAS conducts regular inspections and examinations to ensure financial institutions comply with regulatory requirements.

Vincent notes that the overarching compliance framework in Singapore for Financial Sector Incentives (FSI) and the government initiatives are geared towards ensuring a robust financial system, ensuring stability and sustainable growth within the sector and bolstering the nation’s position as a leading economic hub in the region. This commitment reflects Singapore’s dedication to fostering an environment conducive to innovation, investment and long-term prosperity.

Varun Srivastava, APAC Head Cyber Security Operations Centre at UBS, echoes the statements. In today’s rapidly evolving digital landscape, organisations grapple with the formidable task of ensuring compliance amid an ever-expanding array of regulations and standards, a challenge further compounded by the integration of disparate IT systems and processes following such transactions.

Varun stresses the need for a nuanced and strategic approach to compliance in the complex landscape of the financial sector, especially amidst mergers and acquisitions. The merger of Credit Suisse and UBS is a prime example and one that presented a distinctive set of challenges, particularly in IT compliance.

One of the primary obstacles organisations encounter post-merger is the integration of IT systems. Consolidating disparate IT infrastructures, applications, and databases into a unified platform demands meticulous planning and execution. Ensuring compliance with regulatory requirements during this integration process is paramount, as any misstep can lead to severe consequences.

Effective data management emerges as another critical aspect of compliance post-merger. The combined entity must manage both the sets of vast data generated by the merger, including customer data, financial records, and transactional data. This requires adherence to data protection regulations, privacy laws, and industry standards.

“Implementing robust data management practices at the outset is crucial to uphold data accuracy, completeness, and security throughout its lifecycle,” Varun explains. “These practices involve effective data governance, meticulous documentation, regular audits and the implementation of advanced security measures to mitigate risks and maintain data integrity.”

Moreover, risk assessment and mitigation become paramount in the context of post-merger compliance. Identifying potential pitfalls associated with the integration process, such as data breaches, system failures, and regulatory non-compliance, is essential for preemptive action. Thorough risk assessments help prioritise mitigation efforts and implement controls effectively.

Varun believes compliance with regulatory requirements is a foundational pillar of post-merger integration. The merged entity must navigate a complex regulatory landscape encompassing various jurisdictions, each with its regulations and compliance mandates. Achieving compliance involves aligning internal policies, procedures, and systems with regulatory standards and industry best practices.

Certification and auditing processes play a crucial role in validating compliance efforts post-merger. Undergoing certification audits ensures the merged entity meets the requisite regulatory standards and industry certifications. This assures stakeholders, regulators, and customers regarding the organisation’s commitment to compliance and adherence to established standards.

Employee training and awareness emerge as vital components of compliance initiatives after the unification. Employees must be equipped with the knowledge and skills necessary to navigate the complexities of the combined entity’s compliance framework. Training programmes should cover regulatory requirements, internal policies, data security protocols, and ethical guidelines. By fostering a culture of compliance and accountability, organisations can empower employees to uphold compliance standards and mitigate compliance-related risks.

Compliance governance serves as the overarching framework for managing compliance efforts post-merger. A robust compliance governance structure ensures compliance is integrated into the organisation’s strategic objectives, decision-making processes, and daily operations. It involves defining roles and responsibilities, implementing reporting mechanisms, and establishing oversight mechanisms to monitor compliance performance effectively.

“Continuous improvement remains imperative in the realm of post-merger compliance. As regulatory requirements evolve and new challenges emerge, organisations must adapt and refine their compliance strategies accordingly,” Varun states.

Regularly reviewing and updating compliance policies, procedures, and controls enables organisations to stay abreast of regulatory changes, industry trends, and emerging threats. By fostering a culture of continuous improvement, organisations can enhance their resilience, agility, and effectiveness in maintaining compliance post-merger.

Ensuring compliance in the financial sector, especially following mergers and acquisitions, requires a multifaceted, comprehensive strategy that includes compliance management, risk mitigation, and technology integration. By tackling these challenges strategically and proactively, organisations can successfully navigate intricacies, paving the way for a seamless transition to a more integrated and compliant operational environment.

Suman Biswas, Director, SEA (Channel and Partner) at Adnovum believes that 2023 will likely be remembered as a pivotal moment when artificial intelligence (AI) transitioned from theoretical possibility to tangible reality.

“Much like the advent of cryptocurrency in the early 2010s sparked widespread interest in distributed ledgers and decentralised virtual assets, recent advancements in deep learning and computational reasoning have ignited discussions about AI’s potential across various industries,” he elaborates.

As new AI technologies begin to permeate the financial services sector, compliance professionals must rethink existing operational models and traditional approaches to risk management, approaching these changes with cautious optimism.

Industry leaders have long recognised the limitations of manual operations and have been exploring advanced technologies such as machine learning and intelligent automation to improve risk outcomes while controlling costs.

Typical applications include automated negative news screening and analysis, data retrieval through robotic process automation (RPA) and application programming interfaces (APIs), template-based narrative generation, and predictive models to enhance decision-making, such as risk scoring for transaction monitoring and list screening alerts.

As more powerful AI tools enter the industry in the coming years, they will enhance core components of compliance programmes. For example, natural language models like GPT-3, which powers ChatGPT, can scan thousands of approved sources for regulatory updates and produce consolidated summaries for senior management to review.

When regulatory changes necessitate updates to firm standards and procedures, AI solutions can draft initial policy documents based on specific inputs and parameters, which human reviewers can refine. An experimental prompt given to ChatGPT to “Write me an AML compliance policy for a US-based financial institution” produced a highly accurate 10-page governance document covering the core tenets of a compliance programme.

Although incomplete, this sample document could be a starting point for broader procedural development. Leveraging technology to support governance will enable firms to significantly reduce the costs of crucial initiatives like regulatory mapping and expedite the change management and procedural update processes.

Currently, financial institutions rely on simplistic models for processes such as transaction monitoring, adverse media screening, and sanctions screening to identify illicit customer activity.

Without highly tuned parameters, these models generate a high volume of false positives that must be investigated and discounted. AI tools can address false positive issues in two ways:

First, improved model-tuning logic can better identify potential accurate matches. Screening for “David Johnson” might produce 1,000 low-quality hits; screening for “David Johnson” with additional inputs like age, address, contact information, citizenship, work history, vehicle registrations, relationship history, and known associates from open and closed sources might yield 11 high-quality results, optimising the reviewer’s time.

Second, language models will capture and highlight the most relevant information for an investigation, reducing handling time and improving material risk identification.

When financial institutions detect potentially suspicious activity, they must investigate and, if deemed material, file a suspicious activity report (SAR) with regulators. SARs, ranging from one to 10 pages, are composed of investigators who combine transactional analysis and risk expertise to demonstrate potential criminal activity to authorities.

These reports are crucial to a robust Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance programme, and the composition process will retain a human element due to variability in risk appetite and decision-making methodologies across institutions.

AI models, when trained on ample data, can already generate standardised reports, promising to significantly hasten the SAR writing process soon. Instead of relying on investigators to draft reports or customise SAR templates with transaction analysis, AI will identify suspicious customer activity, ascertain the corresponding risk typology, conduct open- and closed-source searches to form a coherent customer profile and compose a report delineating the customer’s background, suspicious activity, and rationale for filing a SAR.

“Investigators will shift to a quality control role, reviewing and filing SARs at scale,” Suman is convinced. “This will reduce alert backlogs and regulatory actions while lowering operational costs.

Adnovum, a software company specialising in identity and access management (IAM), cybersecurity, and governance and compliance, can leverage AI in several areas to enhance the compliance roadmap.

By utilising Natural Language Processing (NLP), Adnovum can improve the accuracy of regulatory data processing and analysis, quickly scanning and interpreting vast legal and regulatory documents to ensure compliance.

Additionally, AI’s predictive analytics capabilities can help identify potential compliance risks before they materialise, enabling proactive risk management by analysing trends and patterns in data.

Automating routine compliance tasks with AI can reduce the need for manual oversight and improve accuracy, leading to significant cost savings and enhanced efficiency. Adnovum can combine inputs from open and closed sources to create advanced risk, behaviour, and profitability profiles essential for regulatory compliance.

AI can help protect against cybercrime by identifying potential security threats and strengthening cybersecurity controls, which is increasingly important as the economy becomes more dependent on technology and data.

For Adnovum, transparency and explainability are imperative in the AI decision-making processes to meet regulatory requirements. This involves providing rationales for decisions and enabling institutions to produce pertinent citations for fact-based searches or key data attributes influencing predictive model outputs.

Moreover, enhanced data management by AI ensures the availability, quality, and security of customer data, which are pivotal for regulatory compliance and fostering customer trust.

Ethical considerations hold immense importance for Adnovum’s AI in compliance, especially in decisions impacting customers or employees. It is essential to ensure that AI systems are fair, transparent, and non-discriminatory to uphold trust and regulatory compliance. Leveraging these AI capabilities, Adnovum can enhance the compliance roadmap by enhancing efficiency, accuracy, and transparency while mitigating costs and risks.

Integrating AI into compliance addresses current manual operation shortcomings and prepares financial institutions for the future, where proactive risk management and ethical considerations will be paramount.

“Adnovum empowers institutions to proactively manage compliance risks by vigilant monitoring and adapting to regulatory changes, ensuring adherence even in dynamic regulatory environments,” Suman concludes. “With Adnovum’s AI systems programmed to stay abreast of the latest regulatory requirements, compliance processes are automatically adjusted, ensuring institutions remain consistently compliant.”

Closing Remarks

Suman expressed his gratitude to all participants for their engagement in this transformative event. He felt that this session marked a crucial moment for tech leaders to advance, particularly in terms of AI compliance and regulatory frameworks.

“The indispensability of AI-powered compliance in the digital transformation era is undeniable,” he reiterated. “Its critical role in upholding trust, transparency, and efficiency within the financial services industry is apparent.”

Suman points out notes that having a strong technological foundation – including robust data management systems, advanced analytics, and scalable AI platforms – is crucial for leveraging AI’s full potential. He encouraged organisations to invest in the right tools and infrastructure. This involves adopting advanced technologies and ensuring their effective integration within existing systems.

While industry leaders are eager to embrace AI technologies to enhance operational effectiveness and confidently navigate the evolving regulatory landscape, Suman says, ongoing collaboration and innovation are needed to ensure that AI-driven solutions align with compliance standards and ethical practices.

Suman thanked all the speakers, participants, and organisers for their contributions, noting that their collective efforts would be instrumental in shaping a more secure and compliant financial ecosystem.

Mohit wholeheartedly agrees with the diverse insights and perspectives shared in the session, emphasising the pivotal role of AI in revolutionising compliance and risk management within the financial services industry. The discussions clearly outline both the challenges and opportunities presented by AI, underscoring the importance of adopting a forward-thinking approach.

Organisations must invest in AI-driven solutions to stay ahead in the competitive landscape, but Mohit cautions that, “Leveraging AI for compliance is not just about technological advancement; it’s also about fostering a culture of innovation and adaptability. This ensures you remain agile and responsive in addition to being abreast of regulatory changes.”

While AI holds immense potential, addressing ethical considerations and ensuring transparency in AI decision-making processes is crucial. This involves implementing robust frameworks for ethical AI development, promoting diversity and inclusion in AI teams and fostering collaboration between stakeholders to ensure AI technologies serve the greater good while minimising risks and biases.

He underscored the importance of continuous learning and development to keep pace with AI advancements and regulatory updates, stressing the need for financial institutions to adapt swiftly to changing landscapes. By doing so, organisations can enhance their compliance programmes, reduce operational costs and improve overall efficiency, positioning themselves as leaders in the ever-evolving financial services industry.

In the digital era, data is an invaluable asset driving innovation and growth. Essential for AI, data fuels its learning and decision-making capabilities, offering actionable insights, personalised experiences, and operational efficiency.

“It has been said that data is the new oil. I prefer to say that data is the lifeblood of an organisation Without sufficient data, businesses cannot thrive in the current landscape,” Mohit says. “And like blood, it requires strong protection and purification to maintain its health and effectiveness. Compliance is how we do that.”

Clean, accurate data ensures reliable AI outcomes, while vast data availability enhances pattern recognition and performance. Sharable data fosters collaboration and innovation but must be balanced with strong data security to protect sensitive information. Proper data storage ensures accessibility, scalability, and integrity, forming the foundation for effective and trustworthy AI systems.

Mohit expressed optimism about the future of AI in compliance, acknowledging that the collaborative efforts and insights shared serve as a strong foundation for future innovations. He reaffirmed their commitment to driving AI excellence and supporting the industry’s journey towards a more technologically advanced and compliant future, where AI-powered solutions play a central role in shaping the landscape of regulatory compliance.