The top 10 uncomfortable truths about regulatory compliance

There are no standards for digital notification of regulatory change.
Changes can only (?) be obtained by scraping government/agency websites.
All the major regulatory information suppliers need to have significant manual staffing to perform break/fix work as websites are given periodic makeovers or go through political rebranding exercises.

PDFs are not systematically machine-readable and parseable, because they are not digital!
We cannot hope to move to machine-readable law if we don’t have standard foundational content.
Without standard terminology for each regulation significant amounts of manual, error-prone interpretation will continue to be required.
This is easy to fix and would be a quick win.

Regulators need to have the same operational mindset and toolsets as those they oversee; it’s not a 9-5 job.
Regulators are most needed in times of crisis. However, during the current Covid crisis the Information Commissioner’s Office, ICO, has lost significant credibility https://www.wired.co.uk/article/ico-data-protection-coronavirus
Regulatory processes must be publicly documented and subject to external review – the challenge of “quis custodiet” – who guards the guardians – must be clearly addressed.

We need openly-accessible standard content interchange format mechanisms for advisory and regulated companies.
Lineage needs to be standardised and embedded.
Software development platforms such as GitHub have already addressed this.

Paying to play is really just a disguised cartel.
Pay-to-play standards usually fail to look at examples such as the lethargic adoption of ISO 20022.
Standards which are good-enough and free usually win, for example Ethernet, USB-2.

Many are just questionnaires with trivial pass/fail scoring.
There is no standard form of documentation to demonstrate a control’s requirements have been met at a particular point in time.
There are no standard formats/mechanisms for linking evidence to a control.
The process relies on a “dipstick” periodic review at best – and has become discredited and derided in many large corporations.

The same terminology must apply and be embedded all the way through.
It needs cooperating teams rather than opposing teams or a reactive approach.
Backups and audit trails are not compliance, they just enable “last resort” rummaging in the skip when it is usually too late.

Band-Aid workflow processes to try and address compliance have no lineage connections to underlying regulatory terminology or awareness of upstream change.
BCBS 239 will have a regulatory equivalent soon as the bi-temporality problem of “what did you know and when did you know it?” applies to legal directives and standards too.
The same tools and techniques used in market, reference and risk data can and should be directly applied and are available now.

Lawyers and consultants permeate the current supply chain, offering niche domain opinions and advice.
Fragmented legal advice and opinion are not currently manageable in a consistent fashion, either as a set of changes or as a timeline, so their impact and “value” are not transparent and therefore can’t be routinely tested or challenged.
The legal advisers and consultants need to move away from a reactive document workflow and billing mentality to a peer-reviewed contributory approach.
Their future will be restructured along the lines of current software engineering processes/teamwork.

Legal counsel and compliance officers know that their current “modus operandi” is due for a shakeup but are not prepared to invest or challenge the efficacy of the status quo, despite its many proven failures.
There is a naive belief that AI and Big Data will somehow wave a magic wand over the industry at a future unspecified date and that no one will be harmed.

Evidology Systems Ltd, 2 Camden Park Road, London, NW1 9BG