Artificial Intelligence (AI) is a transformative technology that has the potential to reshape how businesses approach regulatory compliance in IT services.
The Growing Challenge of Regulatory Compliance
In today's rapidly evolving digital landscape, regulatory compliance has become a critical priority for organizations across industries. The increasing complexity of regulations, coupled with the sheer volume of data, documents and reports, has made compliance a daunting challenge.
Regulatory compliance refers to the adherence to laws, regulations, guidelines, and specifications relevant to business operations. Non-compliance can lead to severe penalties, legal liabilities, and reputational damage. With regulations becoming more stringent and the regulatory environment more dynamic, businesses must ensure they meet these requirements efficiently and effectively.
IT regulation is a relatively new segment in the EU, primarily applying to participants of the financial markets. While the risks associated with IT are challenging to overstate, the increasing regulations on digital operations are burdening businesses and diverting resources from their core activities.
The Digital Operations Resilience Act (DORA) was officially published on December 27, 2022, two years before it comes into force. This timeframe may appear extensive, yet when contemplating the complexities and demands of DORA, it actually represents a brief duration to assess the current status and identify the necessary enhancements to reach the objectives required by DORA.
Our Added Value in the context of DORA
MAQIT S.A. is a Luxembourg based consulting and advisory firm, that specializes in anti-money laundering (AML) and information and communications technology (ICT) compliance. We offer to the clients across EU the wealth of our knowledge and over seven years of experience in these fields.
In the context of DORA, MAQIT proposes the following 3-stage approach:
To assist a client in achieving DORA readiness, MAQIT:
reviews specific regulatory requirements through risk assessment, identifies regulatory gaps and assesses their impact on business (DORA Readiness Assessment Service),
develops a prioritized action plan, drafts and implements policies, procedures and test plans that ultimately lead to the completion of the DORA information register (DORA Strategy and Planning Service).
To help a client with maintaining compliance with DORA, MAQIT:
activates, measures and adjusts DORA controls effective at operational level,
collects operational data and insights based on usages,
performs and implements policies, procedures and controls changes to assure effectiveness.
To simplify DORA compliance monitoring for a client, MAQIT also provides expertise and methodology as services which are beneficial not just for financial market participants, but also for companies from other industries:
ICT Outsourcing Manager as a Service,
Information Security Officer as a Service.
Whether it involves conducting a readiness evaluation, supporting the implementation of a client's DORA strategy, or assisting in monitoring DORA compliance, MAQIT boasts a broad spectrum of expertise and knowledge to drive clients toward more secure IT operations. AI could assist at each of the three previously mentioned stages.
Why we decided to use AI?
At MAQIT, to deliver services in IT regulatory compliance, we handle a vast array of texts. This includes directives, circulars, regulatory technical standards, and other requirements on one hand, as well as contractual agreements, policies, procedures, and other internal documents of our clients on the other hand. We offer ready-to-use templates of policies and procedures for companies that are new to the EU markets (e.g. startups or EU branches of global companies). At the same time, we also provide IT compliance gap assessment and advisory services for companies that are already operational. Traditional compliance assessment involves manual auditing of client’s documents, which is not only time-consuming and resource-intensive but also prone to human error. The task demands high-level expertise, and is exceedingly challenging to double-check.
Upon the announcement of DORA by EU regulators, we anticipated a significant surge in demand for our services and chose to integrate AI to expand our business operations. The need for a more efficient, accurate, and scalable solution was evident, and this is where AI came into play.
To streamline our work and enhance efficiency, we utilize the MAQIT knowledge base, which organizes all IT regulatory requirements and connects them to overarching controls. Our reg-tech platform regulat.io has all the data needed for using AI, so it was decided to leverage the natural language processing power of AI to assess the DORA readiness of our clients.
Use Case: DORA Contractual Gap Analysis powered by AI
The business case entails evaluating readiness of a company for DORA within the outsourcing management segment, specifically by verifying whether the terms and conditions of all third-party service provider contracts are in full compliance with DORA.
One of the DORA readiness assessment tasks is analyzing documents that outline the contractual arrangements with a third-party service provider, including service level agreements, terms and conditions, among others.
The problem MAQIT solves - DORA regulatory requirements related to ICT outsourcing contracts
Article 30 of DORA sets out the contractual rights and obligations of financial entities and ICT third-party service providers when using their services.
Existence of a Written Documentation: The full contract, including service level agreements, must be documented in one written document, available in a durable and accessible format.
Clear description of Services and related service level descriptions: A clear and complete description of all functions and ICT services to be provided, including any hardware services and technical support. This includes detailed service level descriptions with quantitative and qualitative performance targets for effective monitoring.
Conditions under which subcontracting of ICT services supporting critical or important functions is permitted.
Data Processing Locations: The regions or countries where the functions and ICT services are to be provided and where data will be processed must be specified.
Data Security Provisions: Provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including personal data and as well provisions ensuring access, recovery, and return of data in an easily accessible format in various scenarios, such as insolvency or business discontinuation of the ICT service provider.
Obligation of the ICT service provider to assist the financial entity with ICT incidents: at no additional cost or at a predetermined cost.
Right of Audit from Regulatory Authorities: Full cooperation with competent authorities and resolution authorities is required from the ICT service provider.
Termination Rights: Termination rights and related minimum notice periods must be included, in line with the expectations of competent authorities.
The above items require a thorough analysis of up to a hundred pages per provider and sometimes even more. Information is frequently dispatched across a multitude of documents and every provider follows its own logic. It goes without saying that the task is akin to looking for a needle in a haystack, which is precisely why MAQIT has proposed the use of AI in the following context:
Step 1. Assessment
The user inquires whether the contractual documents associated with a third-party service comply with the applicable regulatory requirements and, if not, the user wants to know what specific aspects of the documents are non-compliant, that is namely:
List of requirements that are MET with references to corresponding clauses (paragraphs) of the document,
List of requirements that are MET PARTIALLY with references to corresponding clauses (paragraphs) of the document,
List of requirements that are NOT MET at all.
During the assessment step, AI assists the user with its capability to search multiple documents and cross-check if the contractual documents meet the regulatory requirements. To do so, AI takes into consideration specific AI-ready control questions and as well leverages on previously mapped regulatory controls. The AI-ready specific control questions are the result of a previously performed investigation MAQIT performed used in the configuration parameters of AI.
Step 2. Recommendations
If any compliance gaps are identified, the user needs guidance on aligning the documents with the corresponding requirements.
The user wants to get:
Detailed recommendations related to every item in the previously identified list of requirements that are NOT MET or MET PARTIALLY (the same list as in the previous use case, but along with suggested wording for each compliance gap that is found),
For further research a set of references to previous cases including but not limited to questions and answers with auditors, references to published regulatory guidelines or questions and answers. Similar contractual documents from similar context that contain the adequate clause. These references shall be used by the user to perform further investigation.
Implementation
Picture 1. The Architecture Diagram
The UI helps to implement the following algorithm:
The user uploads contractual documents using a web-form (Picture 2);
If needed the user can choose on of the available AI models (Picture 2);
The AI Assistant processes the uploaded documents to create so-called “document chunks” for further analysis;
The AI Assistant switches into the Chat Mode (Picture 3);
The user can now ask their precise questions to check every regulatory requirement relevant to the uploaded documents.
Picture 2. The Main Dialog Form
The MAQIT application ensures the accuracy of AI-provided answers by allowing users to ask control questions. These questions enable users to verify the results and guide the AI on how to process the information.
Picture 3. An Example of the Chat Form
Even though it is just a prototype, the result obtained is quite impressive. The next step is to integrate our AI Assistant into regulat.io - an online regtech platform that helps to manage information necessary for ICT regulatory compliance.
Given the significant time investment needed for manual review of third-party agreements, a notably costly and time-intensive task, we at MAQIT believe that we can fully meet the stringent deadline of January 17, 2025, when DORA will be implemented, by utilizing our know-how, expertise and AI technology.
Why we chose IBM?
The IBM® watsonx™ Assistant service combines machine learning, natural language understanding, and an integrated dialog editor to create conversation flows between a corporate information system and its users.
The Assistant v2 API provides runtime methods a corporate application can use to send user input to AI model and receive a response.
The key advantages why we used IBM® watsonx™ for the use case described above include:
The utilization of watsonx™'s computing power enables us to securely store potentially sensitive documents on our own servers. This approach is crucial, particularly when dealing with a substantial volume of document data.
watsonx™ offers a diverse range of pre-built AI models, allowing MAQIT to effortlessly choose the most suitable model for our needs. The configuration and selection of a model are currently underway. We expect that future adjustments to our investigations will necessitate the appropriate retention and management of control questions by our team.
IBM furnishes extensive documentation that has facilitated our utilization of watsonx™ without need for significant development efforts. Within a few days of work, in conjunction with consulting activities, we were able to effectively operate watsonx™.
Real-World Applications and Success Stories
Many organizations have already begun leveraging AI for regulatory compliance with notable success. For instance, financial institutions use AI to monitor transactions for suspicious activities, ensuring compliance with AML regulations. Healthcare providers employ AI to protect patient data and comply with health information privacy laws like HIPAA. These examples demonstrate the versatility and effectiveness of AI in addressing compliance challenges across various sectors.
DORA pertains solely to financial service providers, yet it will undoubtedly encourage the use of AI to automate tasks in IT regulatory compliance.
Challenges and Considerations
While AI offers significant benefits, implementing AI-driven compliance solutions is not without challenges. Organizations must have well structured regulatory requirements and specialized reg-tech platforms to implement AI-powered compliance solutions. Integration of AI into existing compliance frameworks requires careful planning and collaboration between IT, legal, and compliance teams.
However, small- and mid-sized companies often find it challenging to afford the luxury of developing their own AI-powered regulatory technology solutions. For those hesitant or lacking the resources to invest in AI integration research and implementation, reg-tech solution providers such as MAQIT offer assistance at a reasonable cost.
The Future of AI in Regulatory Compliance
As AI technology continues to advance, its role in regulatory compliance is expected to grow even more significant. Future developments may include more sophisticated AI models that can understand and interpret complex regulatory requirements.
In conclusion, AI is poised to revolutionize IT regulatory compliance services by automating processes, enhancing accuracy, and providing valuable insights. By embracing AI, organizations can not only meet their compliance obligations more effectively but also gain a competitive edge in an increasingly regulated world. As we move forward, the synergy between AI and regulatory compliance in general and IT regulatory compliance in particular will be crucial in navigating the complexities of the digital age.
Please do not hesitate to contact Luc Maquil should you want to know more details on using AI or need any assistance with DORA adoption.
コメント