Data Science for Compliance Professionals: Emerging uses for blockchain, artificial intelligence, and robotics across the compliance function June 26, 2019
Data Science for ComplianceProfessionals:Emerging uses for blockchain, artificial intelligence,and robotics across the compliance function
June 26, 2019
Page 3
Overview
► Data Science Definitions
► Insights from EY’s Forensic Data Analytics Survey
► Making the case for digital transformation & automation► Robotics Process Automation► Blockchain► Artificial Intelligence
Page 4
Emerging Technologies Defined
► Artificial intelligence (AI) is technology that appears to emulate human performance typically bylearning, coming to its own conclusions, appearing to understand complex content, engaging in naturaldialogs with people, enhancing human cognitive performance (also known as cognitive computing) orreplacing people on execution of non-routine tasks. Applications include autonomous vehicles, automaticspeech recognition and generation and detecting novel concepts and abstractions (useful for detectingpotential new risks and aiding humans quickly understand very large bodies of ever changinginformation).
► Robotic Process Automation (RPA) is the use of software with artificialintelligence (AI) and machine learning capabilities to handle high-volume,repeatable tasks that previously required humans to perform.In the Internal Audit context, common uses include data ingestionand preparation, repeatable analytical processes and anomaly review.
► Blockchain is a decentralized, distributed and public digital ledger that is used to record transactionsacross many computers so that any involved record cannot be altered retroactively, without the alterationof all subsequent blocks
Page 8
Leveraging a risk-based framework
Complete
Transformation
Observations
Risk Score
QC Data
Visualization
► Assess outputsand prioritize riskareas
► Defineinvestigationgovernance
► Conductinvestigativeactivities
► Track adjudicationoutcomes
► Measurereductions of risksover time
TransactionalData Sources
Master andReferenceData Sources
► Results of RiskAssessment
► Prior findings andinvestigation results
• Stratification/Segmentation
• Rules-based testing• Time series• Geospatial• Link analysis
• Text mining• Linguistic modeling• Predictive modeling• Machine learning• Visualization• Risk scoring
External andThird-PartyData Sources
PLAN INGEST ANALYTICS CONSUME ADOPTDetection Follow upUnderstanding
Refresh &Refinements
REMEDIATION► Track adjudication
outcomes► Measure
reductions of risksover time
Page 9
Compliance and anti-fraud monitoring using big data &machine learningData integration strategy
Country 1
Country 13
Country 3 Country 5 Country 6
Compliance PlatformDashboard ModulesData Sources
General LedgerAccounts PayableCash DisbursementsSales / Contra RevenueVendor / Customer / Employee Master Files
External Data
Investigations / Case Management
Travel & Entertainment
3rd Party Due Diligence Checks
Industry Codes
Gift Logs
Audit
Country 8 Country 9 Country 10
Country 4
Country 12Country 11
Country 2
Country n
Global Dashboards
Travel &Entertainment
Investigations & Audit
Ambient Risk
Order to CashAML / Sanctions
Data Pollution & Integrity
Country 7
Procure to Pay – Vendors
Zone and Country Dashboards
One TimeVendors
High RiskVendors
Touch PointVendors
Procure to Pay – Payments
Charitable & PoliticalContributions
DuplicatePaymentsUrgent Payments
Cou
ntrie
sin
sco
pe
Page 10
Critical components of an evolving compliance analyticsprogram
Improve the depth and breadth ofmonitoring with risk-based targeting
Establish a governance model to identifyissues, report results and trackremediation across the business, whileensuring the appropriate actions aretaken
Develop a consistent monitoringapproach that prioritizes higher riskareas while allowing time to reassess thefocus of monitoring activities tomaximize your resources.
Programs must be iterative in nature withcontinuous refinement based oncompliance outputs (e.g. complianceobservations, audit results, investigationfindings)
REFINEMENTGOVERNANCE
CONSISTENCYFOCUS
Page 13
Compliance reporting for a global technology company
RPA steps
► Launch compliance applications
► Launch ERP systems
► Review vendor and transactional data toassess if claim is approved or denied
► Update approval/denial status
► Send report of completed accounts(email)
Business situation:Utilizing composite risk scoring, high-risk vendors are evaluated bycompliance to determine if various processing holds should be placed orremoved, or if additional due diligence procedures should be conducted.Prior to the implementation of RPA, this evaluation was done on an ad-hocbasis by the compliance team.
Key benefits
u Review time reduced from 26 weeks to 8 hours,accelerating account processing and attorneycommunications
u Released 2+ FTEs of capacity for more strategicreview and analyses
u Eliminated keying errors
BKFS LoanSphereDesktop
AS400
RPA
Humanworkforce
Why the case for automation?A recent example…account hold approval and removal
RPA is the application of technology that allows employees in a company to configure computer software or a “robot” tocapture and interpret existing applications for processing a transaction, manipulating data, triggering responses andcommunicating with other digital systems.
Page 14
How does the “bot” work?A high-level view of how a “bot” typically operates
Data qualityissues
Extract and convert Parse and Cleanup Consolidate and Merge Analyze and Report
0101010110101010
Sample structured datasources:
Excel spreadsheet
Relational database
CSV files
ERP data (e.g. SAP)
Data ingestion, analysis and reporting
Triage
Sample reports and processes
Cost allocationCost recoveryRate case supportRegulatory reportingInitiative reportingBudget reporting
Low priority reports
Priority reports
Reporting exceptions
Compliancerecords
Managementreports
Ding!
010101101010010101
010101101010010101
010101101010010101
010101011010101001010101
010101101010010101
010101011010101001010101
Predefinedbusiness rules
Page 15
Candidate opportunitiesIndicators that a process can be automated
► Are users required to manually access and gather data from severaldifferent applications to complete their activities?
► Do users manually move data from one system to another?► Are users manually checking the consistency of data between multiple
systems?► Are users manually updating the same information in multiple systems?► Are users waiting for alerts / events to initiate their activities?► Are resources manually remediating source data across several accounts?
Indicators that a compliance process can be automated
Affirmative answers to the following questions are a good indication that an audit-relatedoperational tasks and related functions may benefit from robotic process automation:
Page 17
The future of fraud in a blockchain world - discussion
► Enables better collaboration between unknown, anduntrusted parties
► While blockchains are exceptionally secure,fraudsters will use traditional means at the end-pointsto gain access to accounts (i.e., social engineering)
► Compliance and legal professionals need tounderstand these systems at a high level – a kneejerk reaction in one system could be disastrous toanother
May/June 2018FRAUD Magazine
Page 18
Introduction to machine learning
► Defined as a "Field of study that gives computers the ability to learn without being explicitlyprogrammed“
► Explores the study and construction of algorithms that can learn from and perform predictiveanalysis on data► Such algorithms operate by building a model from an example training set of input observations► To make data-driven predictions or decisions expressed as outputs
Page 19
Machine learning example – Supervised
Emails to competitorsFrequencies of emailTime stamps of email headersGeoIP of email headersPoor performance ratingAngry emails or instant messages (IM)Secretive emails or IMsCopying from SharePoint/repositoryCopying to USB driveFrequency and location of large volume offile deletionsCrawling through networkTransfers to cloud storageTransfer to personal emails
Employees w/ risklevel 1
Employees w/ risklevel 2
Employees w/ risklevel 3
Pre
dict
ive
mod
el
Risk categorizationSample risk indicators
Page 20
Dynamic dashboardRisk trigger analytics results, driving communications
Summary statistics
Risk ranking by function
Employee risk ranking
Training and compliance
Page 21
Thank You!
► Ryan PrattPartner, EYForensic & Integrity [email protected]
► Vince WaldenPartner, EYForensic & Integrity [email protected]