Skip to main content


Governance Risk & Compliance


Autonomous compliance

Standing on the shoulders of RegTech!

Many of us are unaware how early twentieth century technology works. We stick a plug into a socket, switch on the television or radio and pictures and sounds are picked up by our senses as if by magic. The end of this analog era started when digital technology in the form of computers was developed to assist us to find answers to complex, mostly military questions. The internet was a direct consequence of further research in this area during the 1960s leading to omnipresent connectivity at the beginning of the twenty-first century. Even the latest technological paradigm shift, autonomous systems, was initiated by the air force in their quest to deploy unmanned drones instead of humans in jets.

However, autonomous systems are currently being pushed forward by commerce and regulations. With autonomous systems, we let go of direct control in order to benefit from a system that can handle high volumes of complex information both efficiently and effectively. Autonomous systems are no longer tools handled by people; decisions and actions are taken without direct human interference or intervention. Their applicability to the compliance domain is easy to spot. Instead of us making sure systems comply to our rules, autonomous compliance systems make sure humans obey.


Brian Chin, chief executive for global markets at Credit Suisse, stated in June 2017 that the bank was deploying twenty robots, some of which were to help employees answer basic compliance questions ([Oran17]). Mr. Chin said: ‘You ask it questions and it spits out the appropriate regulation, rather than going to a manual or a website.’ Credit Suisse expects that this chatbot technology will reduce the number of calls to the compliance call center by fifty percent. However, reducing costs cannot be the only reason for the Swiss bank to deploy chatbots. Credit Suisse received regulatory related fines totaling $ 5.3 billion in 2016 ([JUNI2017]), thereby coming eighth in the global banking fines league of that year. The introduction of chatbots will probably reduce mistakes and thus fines also.

Talking about fines and bots, Joshua Browder, a student at Stanford University, developed the ‘DoNotPay’ chatbot in 2016. This bot helped to overturn more than 200,000 parking fines in London and New York. Joshua introduced a new version of the bot in 2017. This time the bot helps refugees with immigration applications in the US and Canada, and asylum support applications in the UK ([Good17]).

The above two cases both describe autonomous systems in the form of chatbots. Chatbots engage users in ‘human-like’ conversations, have the knowledge to answer their queries and make recommendations. The examples show that the use of autonomous technology within the legal, risk or compliance space is ready for deployment. The application of autonomous technology is the focus of this article. It will explain the concepts of Robot Process Automation (RPA) and Artificial Intelligence (AI); link these to capabilities such as Natural Language Processing (NLP) and knowledge management; include an indication of the current maturity and availability of these capabilities and sketch the deployment of RPA and AI technology in the regulatory domain. But we shall begin by stating what the tasks of a compliance officer are all about.

Regulatory compliance – responsibilities and tasks

All European regulations for financial companies contain organizational requirements for a compliance function. In general, such a function is responsible for the following tasks:

  • monitor regulatory effectiveness;
  • report on regulatory effectiveness;
  • tackle deficiencies in regulatory effectiveness;
  • advise and assist staff in complying with regulations.

This means that the regulatory function must identify, assess, advise, monitor and report on the company’s compliance risk. Unfortunately there are many pains that a compliance officer encounters when carrying out these tasks (see Figure 1 on regulatory pains).


Figure 1. Regulatory pains.

The most important pain is the risk of non-compliance. The sheer regulatory volume requires access to ample financial and human resources to control this risk. Nevertheless, even if a company has access to these resources it may still find itself on the wrong side of the law. This is due to the complexity and interconnectedness that is inherent in today’s regulations. Therefore, the smart deployment of technology, which is specifically developed to counter these regulatory pains, is essential to retain control, limit regulatory risk and address regulatory and compliance requirements, both effectively and efficiently.

Autonomous Compliance System

An autonomous system is one that tries to fulfill a set of goals in a complex, dynamic ‘environment’. It can ‘sense’ the environment through its ‘sensors’ and act upon it using its ‘actuators’, e.g. a robot uses a camera as its sensor and a robotic arm as its actuator ([Maes93]).

The environment of an autonomous compliance system could be described as the regulatory and industry standards domain on the one hand and the company business and operational domain on the other. The sensors of autonomous compliance systems are software capabilities that range from Natural Language Processing (NLP), knowledge management and biometric systems, all of which use data gathered via interfaces, through to actual documents that contain regulatory and industry standards and to documents and (business and biometric) systems that contain information about the company business and operating domain.

A system is called autonomous if it decides for itself how it uses its ‘sensor’ data to initiate actions in such a way that its goals are met successfully. As such, predictive analytics is an essential capability to develop an autonomous system. All the above capabilities are currently available due to advances in AI (see Figure 2). In order to be fully autonomous, a compliance system should cover all four phases of the regulatory lifecycle: 1) regulatory insight and impact, 2) regulatory assessment, 3) regulatory implementation and 4) regulatory compliance monitoring and optimization ([Vost17]), and be able to adapt to short-term and long-term changes in its environment ([Maes93]). Again, the self-learning capability is now available when using AI.

RegTech – RPA and AI

Much has been written about RegTech and its use within the compliance space. Overall, two types of technologies currently dominate this domain for regulation: Robotic Process Automation (RPA) and Artificial Intelligence (AI).

RPA is used to automate steps of regulatory processes utilizing scripting capabilities and using tooling to access and manipulate structured or semi-structured data. The strength of RPA is the flexibility and unobtrusiveness of the toolset used.

AI is a suite of technologies that distinguishes itself by its ability to recognize patterns from structured and unstructured data based on accuracy and confidence ratings/weightings, a generic capability that was until recently limited to biological brains only. Where RPA brings efficient automation, AI introduces a completely new way of tackling problems. An example of an AI technology is Cognitive Intelligence, i.e. algorithms that mimic the function of the (biological) brain by using weightings to discover structure and abstractions. Cognitive Intelligence has only now become possible due to virtualization techniques that permit access to potentially unlimited processing and storage capacity. With an AI technology such as Cognitive Intelligence, problems can be solved that previously seemed too complex, too big, too volatile or too incomprehensible for either a human to tackle, or for an IT system to capture in pure code. In addition, AI technology has the means to train itself and improve over time. Thus AI technology provides the means to develop adaptive autonomous systems (see the box on the Autonomous Compliance System).


Figure 2. From automation to autonomous systems.

AI can be applied to many generic areas, such as biometrics, Natural Language Processing (NLP), knowledge management and predictive analytics (see Figure 2). In combination, these capabilities make autonomous compliance a possibility.

The application of RegTech

The world of online commerce thrives because of continuous improvements in technology. These improvements enable companies to provide their clients with tailored information about relevant products and services based on a client’s current and past behavior, their location, and their past, current and future financial situation, while taking into account cultural and economic trends. It is important to retain the right clients, clients aligned to the business strategy of the company. Technology is deployed by these companies to ultimately recommend their products and services, prescribing the client’s behavior.


Figure 3. RPA & AI usage within the regulatory lifecycle.

The tools and solutions of online commerce can be deployed equally successfully to regulatory compliance, e.g. using the concept of recommendations to assure conformity to rules and standards. Using the ‘regulatory lifecycle’ introduced in the previous RegTech article [Vost17], compliance solutions can be categorized into four sub-domains: 1) regulatory insight and impact, 2) regulatory assessment, 3) regulatory implementation and 4) regulatory compliance monitoring and optimization (see Figure 3 on RPA & AI usage within the regulatory lifecycle). The following sections show the use for each sub-domain.

Providers and solutions to support the ‘regulatory insight and impact’ sub-domain are available. Such providers typically offer regulatory content on a subscription basis whereby the user can select the scope and detail of the regulation and decide who should receive this information. Often providers generate additional data, such as a concise overview of the new regulation or changes in question. When deciding what regulation is relevant to the user, a provider can use either dynamic roles or fixed ones, such as: investment firm, payment provider, credit institution, etc. The application of AI within this area is very promising. For example, AI can play an important role in determining who needs to be notified based on the results of users who either accept or reject notifications. Alternatively, AI in combination with Natural Language Processing (NLP) can be used to analyze the regulatory changes themselves in order to determine the target group. Regulation can also be analyzed to determine references to other rules. More information regarding technical and non-technical pains and solutions specific to accessing regulation can be found in the first RegTech article [Vost17].

Typical solutions related to ‘regulatory compliance monitoring and optimization’ are collectively known as GRC (Governance, Risk & Control) systems. In general, GRC systems provide functionality to define regulatory, domain and company specific risks, link these risks to a control framework and assess and report on the effectiveness of the controls. GRC systems have been around for the last ten to fifteen years. Potentially, GRC systems allow the automation of monitoring. However, the dynamics of the compliance environment causes maintainability issues. Furthermore, the ability to conduct surveys to assess effectiveness is often complicated and requires coding expertise. GRC tooling has been the subject of many Compact publications, e.g. ‘Trending topics in GRC tooling’ [Lamb17]. If a GRC system provides no support to conduct a survey to assess the effectiveness, RPA can be used to automate this process in a standard manner, allowing for efficient analysis of the standardized, available responses.

Unfortunately, there are currently few systems that support the automation of the ‘regulatory assessment’ sub-domain. This is extraordinary, as this particular process lends itself very well to the ecommerce and technological concepts described in the previous section. Typically, the detailed assessment of a regulatory change is carried out according to the following steps: 1) identify scope and applicability, 2) identify the impact areas due to the applicable requirements, 3) identify the gap between the ‘current state’ of the impact areas and the applicable requirements, 4) determine the ‘target state’ to comply with the requirements, 5) define an implementation plan to develop and implement the ‘target state’.


Figure 4. Regulatory assessment steps.

When assessing the impact and corresponding gap due to a regulatory change, there are specific requirements: a regulatory library that supports the change/version management, an ability to view and navigate within and across all documents, and support to determine the scope, applicability and impact of the regulation. Ideally, tooling has access to the current state of the target in scope and the means to assess the gap with respect to the applicable regulation. The online concepts and AI capabilities introduced previously can be used in different ways.

Applicability, impact and gap could be determined by using the concept of recommendations, whereby the system analyzes both the regulation and the target areas of the company in scope. By using the Knowledge Base features in combination with NLP functionality the system may analyze differences/similarities autonomously between requirement and target. For example, governance and organizational regulatory requirements could be compared with current company documentation describing the current governance and organizational model. Similarly, any overlap and changes between regulatory obligations and specific company policies may be assessed automatically.

The scope of the final sub-domain within the regulatory life-cycle ‘regulatory assessment’ is very broad. Within this sub-domain one can gather all applications that support typical regulatory obligations, such as: client onboarding, reporting, surveillance, modeling/forecasting, decision making and awareness (see Figure 5 on regulatory implementation point solutions).


Figure 5. Regulatory implementation point solutions.

The chat bots discussed during the introduction of this article are a good example how ‘awareness’ of company staff and clients can be supported by technology. Surveillance is also a recurring regulatory obligation, be it surveillance to detect market abuse, money laundering or the behavior of staff in general. Conventional surveillance tools identify positives using set/pre-configured suspicious practices. The use of AI and its ability to analyze unstructured data and learn from experience, will enhance the effectiveness of the surveillance tooling and reduce the number of false positives. If a positive must be followed up, the process to do so can be automated using RPA. The other sub-domains within ‘regulatory implementation’ can benefit in a similar way.

Availability of RegTech capabilities

There are of course many vendors that provide applications within the regulatory space, particularly within the ‘regulatory implementation – point solution’ domain. However, as the above sections show, not all areas are equally well served by the market. As such, a company may look at the development of bespoke solutions to develop either their own chatbot or assessment tool. Fortunately, AI technologies/capabilities are widely available ([Hafe17]). See Figure 6 on AI availability in the cloud.


Figure 6. AI availability in the cloud.

All major market players offer access to a wide range of AI capabilities. Especially Microsoft seems to provide a broad choice of features. However, platforms like IBM Watson also offer a good choice. This was, for example, the choice of Joshua Browder, the developer of the autonomous ‘DoNotPay’ chatbot. However, it should be understood that most of the vendor applications and bespoke applications are mainly developed using ‘conventional’ technology, with AI technology as a unique selling point, but not always the deciding enabler.


Autonomous applications are currently deployed within the compliance space. Although it is early days, the promise of automated, autonomous systems that allow companies to be in-control and compliant is already here. Not all areas are covered as yet. However, a green field operation would benefit tremendously if it could achieve full automation of its monitoring, reporting and effectiveness testing. Furthermore, by using tooling to assess the actual regulatory changes, the quality and costs of this exercise would improve. The compliance officer is here to stay, but the question remains in what capacity: human or digital?


[Good17] Joanna Goodman, Legal technology: the rise of the chatbots, The Law Society Gazette, 20 March 2017.

[Hafe17] Thomas Hafen, Cloud Dienste erleichtern KI-Einstieg, COM! Professional, 1 September 2017.

[JUNI17] Juniper, How RegTech can save banks billions, Juniper Research, 2017.

[Lamb17] G.J.L. Lamberiks, I.S. de Wit, S.J. Wouterse, Trending topics in GRC tooling, Compact 2017/3,, 2017.

[Maes93] Pattie Maes, Modeling adaptive autonomous agents, Artificial Life (Volume 1, Issue 1-2), MIT Media Laboratory, 1993.

[Oran17] Olivia Oran, Credit Suisse has deployed 20 robots within bank, markets CEO says, Reuters, 2 May 2017.

[Vost17] Rob Voster, Closing the circle. Will RegTech digitize regulation?, Compact 2017/2,, 2017.