Intelligent surveillance – the death of random review?

Everyfinancial institution today is at the mercy of constantly changingregulations. Each new mis-selling or market abuse scandal brings withit a tightening of the rules: whether it is a major shift like theintroduction of the Sarbanes-Oxley Act and the Basel II Accord, orthe cumulative effect of successive administrations and regulatoryregimes adding new sections and clauses to existing regulations.

In a survey of board directors of US public companies conducted byDirectorship Search Group and RHR International, the cost ofcompliance with Sarbanes-Oxley alone was estimated at $16 million percompany per year. In 2007, Basel II comes into force and introducesnew regulations for identifying, assessing, measuring and controllingrisks in the banking sector. The IT project supporting compliance hasbeen described by the Economist Intelligence Unit as "morecomplex than Y2K and Euro projects".

Companies are starting to realize that compliance cannot become a money pit: it cannot be an expensive box-ticking exercise. It must be seized as an opportunity to improve internal governance, so that the cost of compliance delivers a return on investment in improved management and planning and assured business continuity. Companies also need to introduce systems that can easily be adapted to cope with future regulatory changes. While the nature of future regulation amendments is uncertain, their occurrence is guaranteed.

Onemajor investment bank has been given the green light from theNational Association of Securities Dealers (NASD) to use a new methodof supervising communications. NASD rules stipulate that: "eachmember shall establish procedures... for the review by a registeredprincipal of incoming and outgoing written and electroniccorrespondence of its registered representatives with the publicrelating to the investment banking or securities business of suchmember". The rules aren't specific about how this shouldbe achieved, but given the volume of communications banks deal with,random sampling is the best most can do. Conventional wisdom is thatbanks should be sampling about 5 per cent of emails, but they typically onlymanage to review a tenth of that. One bank said, "to review 5 per centof our emails, we would need to have ten people working 24 hours aday, seven days a week and reviewing an email every five seconds".The bank in our example sends and receives one million emails a day.

Randomsampling isn't an efficient way to supervise staff. Firstly,white collar criminals could use the company's email systemwith 99.5 per cent confidence their communication won't be intercepted.Employees can continue committing regulatory breaches. By the timethe evidence is discovered in the communications archive as a resultof an investigation it's too late: the damage is done and theevidence is in the company's data vaults.

Secondly,a day spent reviewing golf club invites, compliant business emails,spam and office humor is a waste of experienced compliance officers'time. Making them speed-read irrelevant emails will demotivate andexhaust them, and could interfere with their ability to spot realcompliance breaches that do cross their screens.

Forthese reasons, the bank in question has abandoned random sampling andis meeting its review obligations using policy enforcement, atechnology that detects and stops policy violations before theyoccur. This "active policy management" approachenables the bank to review 100 per cent of the emails that present acompliance risk, without wasting time reviewing others. The softwareenforces policy by analyzing the words, context and meaning ofemails, instant messages and other electronic communications,including those made through Bloomberg terminals and handheld devicessuch as the BlackBerry. Any messages that breach regulations orcorporate policy – including theft or leakage of intellectualproperty – are flagged for review and blocked before they aresent.

Activepolicy management is superior to alternative lexicon-matchtechnologies in a number of ways. For example, lexicon-matchprocesses are unable to determine context: they would be confused bythe difference between "laundering" a shirt and"laundering" money. These technologies enableexception-based review, but aren't smart enough to eliminateenough background noise. Lexicon-matching systems can flag as much as5 per cent of the total email, of which only 5 per cent justify review.

Becauseactive policy management technologies analyze not just the content ofthe message, but also its meaning (its concept) and who iscommunicating with whom about what at what time (the context), falsepositives are eliminated.

Theend result is that the institution continues to sample a percentageof its electronic communications: the difference is that the sampleis chosen according to those communications most worthy of review,rather than being picked at random.

Whilecompanies and their regulators share the goal of protectingbusinesses, investors and markets from the enemy within, it'snatural for companies to fear the forces that can shut them down. Sofar, they've been lucky. Regulators have been forced to waitfor tip-offs or leads from compliance departments, auditors orinvestors before they can swoop in for the kill.

Butnobody knows what "smoking guns" might be hidden in thecommunications archive. Some argue it doesn't matter becausenobody has the resources to trawl the ever-growing archive lookingfor them, and the odds of discovering an offense through randomsampling are slim.

Thiswill change. It's easy to foresee a time when regulators willuse technology in place of whistleblowers to provide the 'tip-off'they need. In the same way that companies can use active policymanagement software to focus their attention on communications thatrisk breaching regulatory guidelines before they take place,regulators could use intelligent surveillance applications to minethe archives for evidence of policy breaches. These applicationsprocess the communications archive, applying policies retrospectivelyto identify potential breaches that took place in the past. Likepolicy enforcement tools, intelligent surveillance tools analyze thecontent, context and concept of old messages to find those that arelikely to be non-compliant.

TheSEC is already making plans to process the stacks of paperwork ithandles relating to active investigations in this way. "All thetools that we're deploying will allow the attorney to find similarconcepts using different vocabulary, recognize patterns in the wayemails are exchanged, and other, more-advanced kinds of analysis,"says R. Corey Booth, the SEC's chief information officer. "Onecan only imagine how much more productive this will make us."

Aswell as the burden of increasing regulation, companies will faceincreasing determination by regulators to enforce existing regulationin full. Booth, who was appointed in January 2004, has led thedevelopment of a five year plan that includes the electronicsearching and retrieval of scanned documents and the possible use ofExtensible Business Reporting Language (XBRL) for filings. The aim isto use advanced analytical tools to spot apparent irregularitiesbefore they become problems, and direct investigative resourcestowards them. The IT infrastructure has been upgraded to handle the30 to 50 terabytes of data that Booth expects the SEC to amass overthe next year. The IT review has been prompted at least partly by theSarbanes-Oxley Act, which stipulates that the SEC must review thefilings of a third of the companies it regulates each year.

Useof more intelligent technology will enable the regulator to becomemore aggressive and more successful at spotting crime. Humanresources previously engaged in fishing for evidence can now bedirected to study questionable data, ensuring that less time andmoney is wasted while the valuable work of protecting the economygoes on.

It'sthought-provoking to wonder what would happen if the regulators wereprivatized and effectively paid for performance. How much moremotivated would that make them? How much more would they invest indeveloping and deploying IT that can forensically examine businessdata to isolate evidence of offenses? While the penalties meted outto corporate criminals often fall a long way short of the costsincurred in prosecuting them, one day we might see governmentrewarding independent regulators for successful prosecutions.Regulators would be motivated to find all breaches, and thegovernment would be confident all its outlay was spent oninvestigations that conclude successfully and so offer greatestprotection to the market.

Thought-experimentsin privatization aside, the threat posed by regulation will increase.It threatens budgets through the cost of compliance, particularly inbusinesses that do not have a robust IT infrastructure that can beeasily adapted to meet new compliance requirements as they emerge.Any company that has undiscovered 'smoking guns' in thecommunication archive risks being caught by regulators who, as theybecome more effective, will spot breaches the company doesn'tknow it's committing. Financial penalties and a drop ininvestor confidence will follow swiftly.

Byusing the principles of active policy management, banks can protecttheir customers, staff, investors and ultimately themselves –and keep up with ever-changing regulations.

The author is CEO of Orchestria.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.