Does Automation Heighten Compliance Risks?


Insurance and financial services firms everywhere are flocking to robotic process automation (RPA) for obvious reasons. RPA takes over tedious and error-prone tasks to make them faster and more accurate. For example, RPA is finding purchase in banks across the world as a means to assess risk in loan applications, monitor and reconcile exceptions in loan payments, commission trades and transactions.  

The decision to implement RPA is not a difficult one: RPA bots don’t get distracted or make mistakes, which means they are compliant in ways humans could never be. It’s the way they’re implemented that matters most. And it’s the proliferation of RPA bots across the environment that keeps compliance officers up at night. If RPA bots that are not built right become a bank’s “virtual workforce,” they can lead to major compliance risks.

When RPA bots are not “hardened,” they lack the logic to run reliably and consistently time and again. They may lack foolproof audit trails, proper documentation, error handling, needed controls or activity confirmation.

When hardened correctly, an RPA bot can reduce risk of non-compliance. For instance, when a bot’s work is changed or updated, these documentation updates are significantly easier to make with the logic “inside” the bot. Similarly, when the bot contains the logic to verify and validate inputs and outputs, controls can be more easily enforced – and the bots can more easily generate real-time reports and updates on the activity flowing through the automated process.

Compliance officers can rest assured only when they know the answers the following questions: How do we verify and validate the data coming into a process? How do we ensure the integrity of the transactions processed? How do we validate that the outputs are going to the right place? With hardened RPA bots the answers to these questions are right at hand and stored for easy access when questions arise.

RPA is a user-friendly technology – and bots are not difficult to harden, but the process does take discipline. Here are five important steps:

  1. Prepare for error handling. Both expected and unexpected things can go wrong while an automation is executing a task. A hardened automation will not only anticipate these issues, it will be able to respond to them gracefully. Think through possible exceptions and failure points in the process you are automating, and plan accordingly. Plan in advance in case the automation fails and put in place a process to identify the failure point and enable it to pick up where it left off. Implement logging alongside error handling. Thorough logging enables faster troubleshooting and is critical to a bot’s success.
  2. Build in audit trails. Unlike humans, who typically don’t create audit trails as they go about their daily work, bots can be configured to consistently – and without fail – document their steps. By building an audit trail into the automated process, the RPA bot then becomes that one place to go to find out what happened at a certain time on a certain day in the event questions arise (which they eventually will!).
  3. Configure controls. This is where a bank compliance officer is liable to poke holes in an unhardened automated process. If built right, a bot will include input controls to ensure the integrity of data accepted into the automation; processing controls that make sure data is complete, accurate, authorized and processed according to requirements; and output controls to ensure the results are as intended and are being routed and stored correctly.
  4. Confirmations. When an unhardened RPA bot takes over work, supervisors and managers often complain they can’t track the work being done. The answer to this is to build logic into the automated processes to confirm when work is completed. This can occur at interim check points or when an automated process completes a task.
  5. Build documentation into the code. Good code is always accompanied with comments describing what’s happening in the code, but an adequately hardened bot will also have process documentation built into the code. This eliminates separate documents for standard operating procedures and process documentation and makes it clear that, when the bot is modified, the process documentation built into the code needs to be modified, too – it’s all right there on the screen! 

Hardening is essential to assure compliance for bots. ISG assists clients with the “how” of hardening, including the best practices, processes and techniques to enhance compliance and avoid risk. Contact me to discuss how we can help you.


About the author

Ray Shehata

Ray Shehata

Ray Shehata helps financial services organizations with all aspects of their IT, back-office, middle-office and customer-facing service alternatives. He is an accomplished professional with more than 14 years of financial services experience and is skilled in developing and leading digital strategies and assessments, and implementing IT and business process service agreements for large, multi-national corporations. Ray has expertise in assessing which functions are optimal to automate, outsource, offshore or re-engineer through shared services and determining the associated savings opportunity. In addition, he assists companies in evaluating their service delivery alternatives and designing appropriate governance organizations to manage the ongoing operations.