RegTech is set to have a pivotal year in 2021. The pandemic has brought the advantages of using regtech very much to the fore. A particular example has been communication surveillance, given recent announcements from the UK Financial Conduct Authority (FCA)
on the subject of monitoring home workers as effectively as those in an office environment. Other areas of focus continue to be anti- money laundering and know-your-client, regulatory horizon-scanning and regulatory reporting.
These are the big subjects that are often splashed across the press and on social media, and while they are certainly important, they often take up all the attention and eclipse other potential areas where regtech might be beneficial. One example is policy
management.
Some might query the value of a policy management system. Surely this is a luxury, or a waste of all those valuable change budget dollars, pounds or euros? After all, can it be that difficult? Write a document, get it reviewed and approved, store it somewhere
centrally, send it to all staff and periodically update it when regulations or processes change. Easy. Or perhaps not.
Word processing packages such as Microsoft Word have an extraordinary number of functions that allow the user to produce a policy document, capture versions, share with others and collect comments in one version, while providing the capability to structure
the document and create a universal template. There are other apps that allow for central storage and distribution, plus the ability to schedule for regular reviews.
Most people only know how to use around 10% of what Word is capable of, however. The following scenario may be recognisable to many:
- Tech dinosaur reviewers email replies with all the suggested changes that should be made in the document. If they are truly pushing the technophobe boundary, they send a paper version with scribbles everywhere.
- Several of the more technically-able reviewers send back a "reviewer" version of the document, all nicely marked up, but unfortunately this means there are now five to eight of these separate documents to merge into a master version (yes, the one saved
on the drive that allows everyone to mark up the same version).
- The really busy reviewers reply to versions that are now several versions behind. There are so many versions that it is hard to tell which is the latest.
- Final approval of the document comes in the format of e-mails, telephone calls, Post-It notes, with "approved" written on the front of the paper document.
- Meanwhile, because it is taking so long, something changes fundamentally and it has to be completely rewritten.
- Someone in the front office says they do not read policy documents anyway as they are too long, boring and they do not know where they are stored.
Regulatory burden
On top of all this, the regulatory landscape is changing continuously as regulators worldwide pour out more and more updates. These changes will affect multiple policies within an organisation, making the processes outlined above even more complex. It is
not unheard- of for organisations to take six to nine months to get policies through their internal processes.
Acceptable? Probably in the 1980s, but in the 21st century, not really. Especially in the light of the pandemic.
"Dealing with regulatory issues all comes down to admin work, and a lot of admin work means working on high-value documents. What we've seen on the market recently is that internal communication and internal collaboration, especially on everyday changes,
in these difficult times, have been stifled. We have seen that firms started changing and implementing new regulatory guidance and government guidance into their business continuity plans, into their policies and procedures and processes almost on a daily
basis. And then, one important part is communicating these changes on a daily basis; making sure that employees are aware of new rules of engagement with this new world which we're living in has been difficult. It's extremely important to make sure that this
happens," said Evgeny Likhoded, CEO and founder at ClauseMatch and a leading expert in policy management and compliance automation.
"These are familiar problems for many organisations. Our customers look to us when they realise that managing their policy lifecycle in Word, SharePoint, email and spreadsheets makes compliance and communication harder and adds too much time to people's
workload," David Noble, VP business development at ClauseMatch echoes.
Improving the policy management process
Looking at the core process, and the inability of many staff members to use the various tools available, it is clear that organisations need a policy management system that forces them down a defined process — document creation and central storage, version
control, single source of the truth for review, comment and approval, and a workflow process to wrap around it. This alone should improve any poor policy management process.
In many ways, however, that is like getting excited about pouring the foundations of a new house, i.e., it is basic and fundamental and, in today's world of exciting technology advances, nothing really to get excited about. The true benefits from such a
system, however, are the inputs to and outputs from it.
Policy management is part of the "regulatory landscape" process. Broadly, this is regulator contact, horizon-scanning, obligations, policy management, controls, various reporting needs and, importantly, the surfacing of policy information to users.
Policy is fundamentally driven by regulation and what an organisation is obliged to do. Given that the regulatory burden continues to be huge, it might initially seem more sensible to leave the policy review in the hands of the compliance team, but that
was not why the organisation hired highly experienced and expensive compliance resources (let alone other, equally busy teams such as risk,
technology and operations). Compliance should instead be focusing on insight and partnering with the business, not remembering that various planned changes by a multitude of regulators could affect any number of policies.
RegTech to the rescue
The RegTech world provides a solution. Most solutions now provide API "hooks" in and out of the application. This means that organisations can connect their policy management systems to their horizon-scanning and obligations systems. As changes are highlighted
or become obligations, they can automatically flag up the policies that will be or are affected by the changes. This can then be flagged to the appropriate individuals who own the policy, who can schedule in a review.
To return to the housing analogy, even this is not the exciting bit — at this stage only the basic structure of the property is there, and admittedly it may also be waterproof. The really exciting bit (where to position the television or arrange the family
photographs) is how to implement "controls" and how best to surface the policy information.
Controls
Policy should help to define the controls in a business, and controls allow it to undertake self-assessments on a regular basis. Failure of controls, especially bad ones, can lead to regulator intervention. At best, it leads to a flurry of internal activity
to put things right. Often, but not always, it is a failure of a control or the lack of one.
Connecting the policy management system to the controls (risk management) system should allow an organisation to have new controls flagged for implementation more speedily. Again, it takes the reliance out of the hands of individuals who need somehow to
remember to connect the dots when they are generally very busy with day-to-day processing.
Surfacing policy information
Another conundrum can be how best to surface the data contained in policies to staff. People rarely look at a policy document when it is sent out. Given that the standard attention span for video communications to staff is approximately 1.5-2 minutes before
they lose interest, it is unlikely they will read a 20-plus page document on policy (which may well be rather dry) unless it is part of the annual mandatory training requirement.
Fortunately, the tech world has again found a solution — virtual assistants or chatbots. Even the most basic entry-level chatbot can achieve a 90% success rate on answering questions about basic policy documents, and that is before they get sophisticated
and can be tied directly into underlying systems, or artificial intelligence is applied.
These "assistants" can sit on desktops and be easily available to staff. When they need answers, they can pull up sections of the policy based on the questions or even click on direct links into the policy. Chatbots have a much wider use, but they can help
pull strands of information together about which policy is fundamental.
Forgotten gem
At the beginning of this article, the author said that policy management was often the forgotten gem in terms of regtech, and this needs to change. Policy management runs like a thread throughout an entire organisation, and any delay in implementing a strong
policy management process may have unexpected consequences. Policy affects all staff, and the quicker the organisation can supply valuable, up-to-date information to staff, the better.
The user journey only works if it is considered end-to-end. Horizon-scanning or risk management systems might be the burning issues that have to be resolved today, but organisations must keep a close eye on the overall strategy and that end-to-end process.
Policy management will have its day when people realise that it underlies — and has an impact on — many of the essential processes in the organisation.
Author: David Cowland, innovator and ex-head of compliance operations at Fidelity International