If you told someone “I am building an AI solution for compliance” the very next thing you will hear is “oh, but it's a very crowded market. There are already too many players both on the legacy side (LexisNexis, Dun & Bradstreet, Orbis, etc.) or the new age tech players ( Sumsub, Onfido, Alloy, Jumio etc.). The other problem is that the investors have not seen a big exit yet and the general consensus is this market is heading for consolidation. 

‍

Compliance could mean so many different things depending on the workflow, industry or problem you are solving for.

‍

Broadly speaking, compliance within financial services is divided into 3 lines of defence

‍

‍

Yes, it is true that there are lots of tools that exist in compliance, but most of them automate the workflow of the 1st line of defence. The 2nd and 3rd line of defence are still relying on consultants for help. Yes, there are a lot of GRC tools that exist but most of them are limited to security compliance (Vanta, Drata, Sprinto, Scrut, Adoptech).

‍

‍

‍

Let’s dive deeper into the roles and responsibilities of the 3 lines of defence

‍

‍

Let’s dive deeper into the workflow of 1st line of defence

‍

• How things are done currently

‍

‍

• Where is AI impacting the workflow of 1st line of defence?

‍

‍

The argument is very simple for businesses to replace repetitive, low impact, fairly standard jobs with AI which is cheaper and possibly more accurate than outsourced labour. Because of regulatory reasons we still need to have human oversight (1st line of defence) but a lot of the actual “work” will be done by AI agents moving forward instead of human “agents”. Early signs are positive from two relatively young businesses from Y combinator - Greenlite and Accend. There is an argument that current KYC or Transaction monitoring players are well suited to build AI agents for exception handling as they already have access to customer data and are integrated into the financial institution. 

‍

‍

‍

But are we going to leave the 2nd and 3rd line of defence to hang dry?

‍

They have been using the services of consulting firms such as Fintrail, Fscom, Thistle, the big 4( Deloitte, PwC, EY, KPMG) instead of using tools. According to EY, around 60% of banks use consulting services for compliance transformation whereas 70 % of firms depend on external consultancy for audit activities(Protiviti). Similarly, Gartner reported that only 25% of 2nd line of functions use any kind of automation.

But why is that? Let’s look at the “jobs to be done” for the compliance teams.

‍

1. Regular Jobs:
   • Internal Audits
   • External Audit preparation
   • Regulatory Filings
   • Quality Assurance
   • Board Pack Preparation
   • Periodically updating governance documents

‍

2. Event Driven Tasks:
   • New Regulatory Updates
   • Compliance for new products launched by business
   • Compliance in new geographies business wants to expand to
   • Audit by the regulator

‍

At the cost of generalising, most of these tasks require dealing with unstructured data (regulatory filing, internal audit, board pack presentation), understanding the context behind legislations (new regulatory updates, periodically updating governance documents), having expert knowledge and expertise (new regulatory updates, compliance in a particular geography or compliance for certain products, regulatory interpretation).

‍

Compliance teams prefer consulting firms over technology-based solutions because most use cases are event-driven and bespoke. These teams trust the unique value brought by the knowledge and expertise of these consulting firms coupled with their interpretation and judgment. Moreover, these firms provide tailored solutions specific to the organisation's needs and align with the broader strategy of the organisation. According to KPMG’s chief compliance officer survey, only 18% have used automation for reporting and risk data collection. 

‍

We have had some tools that make life a little easier for the 2nd and 3rd line of defence

‍

‍

‍

These tools provide relevant regulatory content to the compliance teams and help manage all of their workflow, governing docs in one centralised place. This helps them keep track of all the tasks in one place plus an audit trail for the regulator. However, all of the actual “jobs” are still done manually by the 2nd and 3rd line of defence, which takes up a significant portion of their time.

‍

To give you an example, the latest update to the EU AI act came out on 18th June! What does this mean for the 2nd line of defence  

‍

‍

‍

Step by Step Workflow

‍

1. Monitoring a set of sources for regulatory updates (FCA, EBA, FATF, etc.)
2. Bifurcating relevant updates from irrelevant updates (for example the AI act is relevant to this particular business)
3. Reading the update in detail to understand its impact on the business
4. Communicating to the wider business 
5. Identifying Governing Documents that would be impacted 
6. Conducting Gap Analysis by listing out the key requirements and obligations in the new update to the AI act
7. Identifying gaps and recommending remediation based on the current governance documents that exists in the business
8. Creating a workflow with the relevant stakeholders to update the necessary documents
9. Chasing and Following up to make sure the relevant documents are updated
10. Updated governing documents are sent for board approval
11. Once updated, relevant stakeholders have to do a gap analysis to bring the changes into practise in the business
12. GRC committee will review and ensure that the gaps have been closed

‍

‍

‍

What is the gap in the current Softwares that exist in the market

‍

GRC tools like ServiceNow and Archer are excellent for managing the entire process and also help in ensuring regulatory compliance and audit trail (steps 8-12). But most of the heavy lifting is done in steps 3-7 which is completely manual.

‍

Processes like reading regulatory updates (including understanding the context behind it), gap analysis and setting recommendation plans are completely manual.

‍

‍

‍

Opportunities

• Automating routine tasks such as monitoring and tracking of regulatory updates, gap analysis and creating reports with the help of AI and freeing up compliance teams to focus on decision-making and problem-solving.
• GRC tool for mid market (current tools such as ServiceNow require 9-12 months of integration, an integration partner such as KPMG, infosys etc. which means only enterprises can afford them) 

We are going after the first opportunity at Zango and will talk in detail in our next blog about the approach that we and some of the other players who are going after this opportunity are taking and why is now the right time to go after this problem.

‍

‍