Dr.-Ing. Sagar Sunkle, profile picture
Uploaded byDr.-Ing. Sagar Sunkle
PPTX, PDF489 views

Model-Driven Regulatory Compliance: A Case Study of “Know Your Customer” Regulations

This document discusses model-driven regulatory compliance using a case study of "Know Your Customer" banking regulations. It outlines key challenges in compliance such as semantic disparity between formal regulations and business operations, generating explanations of compliance proofs, and managing changes to regulations over time. The authors propose addressing these challenges by developing formal vocabularies of regulatory and business concepts, mapping the vocabularies to address semantic differences, and using the mapped models to reason about compliance and regulatory changes. A banking example is provided to illustrate mapping KYC regulations to customer account opening processes. The proposed approach aims to help organizations more rigorously and cost-effectively ensure ongoing regulatory compliance.

Technology
Related topics:
Regulatory Compliance

Embed presentation

Download to read offline
Model-Driven Regulatory Compliance: A Case Study of “Know Your Customer” Regulations Sagar Sunkle, Deepali Kholkar, and Vinay Kulkarni Tata Consultancy Services Research, India
Compliance is adherence to policies and decisions. Policies may originate in internal directives as well as external regulations.  Cost of Compliance o Increasing spend on compliance- in Billions of $ and expeceted to rise o Several regulations across various domains  Banking KYC [Know Your Customer], FATCA [Foreign Account Tax Compliance Act], BASEL III [Bank Capital Adequacy and Market Liquidity]  Mortgage CFPB [Consumer Financial Protection Bureau]  Healthcare HIPPA [Federal Health Insurance Portability and Accountability Act] o Compliance is difficult to achieve o It is uncertain in many cases what constitutes compliance o It is not clear how it will affect the business o It changes with time and space [geography-specific]  Non-compliance is penalized severely Regulatory Compliance Context
 Compliance checking research o Checking whether processes comply with regulations based on given formalism o Siloed research in business process compliance checking, risk modeling, process change management Largely manual and expert-driven in practice  Industrial Governance, Risk, and Compliance (GRC) solutions o Based on tagging mechanisms- tag regulations to enterprise content (using domain-specific taxonomies when available) o Tagging itself is mostly manual, sometimes (semi-)automated o (Non-/Semi-) formal solutions means less rigorous • Less than 50% of enterprise content is correctly indexed • Multiple labeling and classification errors • Average cost of tagging an item ranges from $ 4.00 to $ 7.00 Current State of Art and Practice
 Semantic Disparity o Before checking compliance, need to map regulatory concepts to enterprise operational concepts to find out to “what” in enterprise data a regulation is applicable to [in business processes “where” it is applicable] o Largely ignored/implicitly assumed in research approaches, industrial GRC solutions depend on domain experts  Explanation of Proofs of Compliance o An explanation which compliance officers/internal auditors and business stakeholders can use in a legally defensible way  Change Management for Regulations o Regulations change over time and with geography- need to keep operations compliant with changing regulations o Operations may change and need to re-comply with existing regulations Key Challenges
Changes in Internal Controls Changed Processes Change Risks Inquiries/ Surveys Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with define fulfill enact in Integrating Research Silos with Conceptual GRC Model Vicente and da Silva: A Conceptual Model for Integrated Governance, Risk and Compliance. CAiSE 2011
Changes in Internal Controls Changed Processes Change Risks Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Using Purposive Models for Integrated Compliance
Changes in Internal Controls Changed Processes Change Risks Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Formal Model of Regulations SBVR Models of Regulation Concepts Using Purposive Models for Integrated Compliance
Semantic Mapping and Proof Explanation Changes in Internal Controls Changed Processes Change Risks Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Formal Model of Regulations Formal Model of Business Process SBVR Models of Regulation Concepts SBVR Models of Process Concepts Mapping Rule Integration Change Management Using Purposive Models for Integrated Compliance
Semantic Mapping and Proof Explanation Changes in Internal Controls Changed Processes Change Risks Business Process Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Domain Metamodel Formal Model of Regulations Formal Model of Business Process SBVR Models of Regulation Concepts SBVR Models of Process Concepts Mapping Rule Integration Change Management Regulatory and domain concepts Using Purposive Models for Integrated Compliance
 Create formal vocabularies regulatory and operational concepts and map them to address Semantic Disparity  Use the vocabularies [specifically terminological dictionary] to capture natural language representation to address generation of Proof Explanation  Rematch/retag regulations to operational specifics using vocabulary and mappings, use formal representation of regulations to reason about Regulatory Change Addressing Regulatory Challenges with Model-driven Integrated GRC Architecture
Regulation: “A discount of 10% is granted if the customer is a gold customer; 5% are granted if the customer is a silver customer.” Disparity between labels in formal regulations and operational specifics- Exhibits Petri Net Approach An event log describing the observed operational behavior is aligned with a Petri-net pattern that formalizes a regulation.
Regulation: “A discount of 10% is granted if the customer is a gold customer; 5% are granted if the customer is a silver customer.” Disparity between labels in formal regulations and operational specifics- Exhibits Petri Net Approach An event log describing the observed operational behavior is aligned with a Petri-net pattern that formalizes a regulation.
Regulation: “For payment runs with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language CRG that formalizes a regulation.
Regulation: “For payment runs with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language that formalizes a regulation.
Regulation: “For payment runs with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language CRG that formalizes a regulation. The same observations can be made about other formal approaches- Defeasible logic, BPMN-Q, Pi-Calculus based compliance checking
Building the Vocabularies Semantics of Business Vocabulary and Rules (SBVR) Semantic model of formal terminology Business vocabulary o Semantic community and sub- communities owning the regulation and to which the regulation applies o Shared understanding of an area, i.e., body of shared meanings Meanings and characteristics o Categorical concepts with specific details as characteristics
Mapping the Regulatory and Operational Vocabularies Rules as Bodies of guidance o Logical formulations based on logical operations Terminological dictionary o Designations or alternate names for various concepts, definitions for concepts and natural language statements for policies stated in the regulation o capture the vocabulary used by the enterprise in its business processes or enterprise data Mapping rules to processes o Every verb concept in the regulation body of concepts is mapped to corresponding verb concept wording from the process terminological dictionary using similarity measures. o This mapping is used to look up consequent terms of rules and the corresponding process entity is treated as a placeholder for compliance implementation of the rule.
Reserve Bank of India’s Know Your Customer regulations for a salaried employee at a private employer opening an account at an Indian Bank Addressing Semantic Disparity- An example of banking domain regulation mapping to banking process Formal model [based on deontic, modal, defeasible logic]
2009 Annotate rule to task r 1 r 2 … Customer account opening process (CAO process) KYC states customer acceptance policies (CAP) where different kinds of customers submit different identification and address documents which need to be checked- in the process above at the “review documents” task determined through vocabularies of CAP regulation and CAO process
Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Client_ID 17 fulfills all Obligatory requisites. The processed trace shows facts in the successful invocation of rule r3. Addressing Natural Language Proof Explanation
<containsConcepts xsi:type="SBVR.MeaningandRepresentationVocabulary:generalconcept"> <Id>pse</Id> <representation>pse_data</representation> <characteristic>notApprovedCorporate</characteristic> <characteristic>approvedCorporate</characteristic> <moreGeneralConcept>ind</moreGeneralConcept> </containsConcepts> </includesBodyOfConcepts> <includesBodyOfConcepts Id="RBI_KYCRegulationConcepts"> Business Vocabulary with Characteristics Concept pse and its characteristics such as approvedCorporate are defined in the business context and also in the meaning and representation vocabulary. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
<includesBodyOfGuidance Id="RBI_KYCRules"> <includesElementsOfGuidance Id="r3"> <Id>r3</Id> <isMeantBy xsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:obligationformulation"> <antecedent xsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:conjunction"> <logicalOperand xsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:atomicformulation"> <Id>ind</Id> <isBasedOn>client_is_ind</isBasedOn> </logicalOperand> … </isMeantBy> </includesElementsOfGuidance> </includesBodyOfGuidance> Business Rules Vocabulary The rules vocabulary notes the rules and concepts involved. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
<SBVR.VocabularyforDescribingBusinessVocabularies:ComplianceModel> <contains Id="RBI_reference"> <presentsVocabulary Id="RBI_RegulationVocabulary"/> <expressesBodyOfMeanings Id="RBI_KYCRegulation"/> <includes xsi:type="SBVR.VocabularyforDescribingBusinessVocabularies:owneddefinition"> <Id>approvedCorporate</Id> <expression>Employer_is_a_corporate_approved_by_the_bank</expression> <meaning>approvedCorporate</meaning> </includes> <includes xsi:type="SBVR.VocabularyforDescribingBusinessRules:rulestatement"><Id>r3_stmt</Id <expression>It_is_obligatory_for_bank_to_obtain_requisite_documents_Including _approved_employer_certificate_and_additionally_at_least_one_valid_ document_ from_individual_who_is_a_private_salaried_employee _in_order_to_open_account” </expression> <meaning>r3</meaning> </SBVR.VocabularyforDescribingBusinessVocabularies:ComplianceModel> Terminological Dictionary The terminological dictionary contains the natural language representation of the rule in addition to process concepts. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
 Query SBVR model in XML  The projected results are filled into templates  Template above is filled in with o Rule ID, rule statement [From the terminological dictionary and rules vocabulary respectively], o Type of concept (in the case study, a banking customer), specific instance, description, and its ID [From the business context and meaning and representation vocabulary] Constructing Natural Language Explanation As per rule _, _. For current _that is _; _. Therefore compliance is achieved for current _ _.
 This gives a natural language statement like the following-  Similar statement can be constructed whenever obligations are violated in specific instances. Constructing Natural Language Explanation
Toward Addressing Regulatory Change Management  Regulations change o As the regulatory body strives to bring more scenarios under regulatory umbrella o Enterprise operations evolve independent of specific regulations and need to be kept in sync with already compliant regulations
Evolution of KYC from 2008-2014- Kinds of Banking Customers
Evolution of KYC from 2008-2014- Kinds of Documents to be Submitted for KYC
Evolution of KYC from 2008-2014- Kinds of Due Diligence Activities Banks Must Perform
Evolution of KYC from 2008-2014- Kinds of Risks RBI warns Banks to Take Care of
Existing Techniques Integrated Regulatory Changes Integrated Process Changes RisksNewBusiness RulesOriginal BusinessProcessOriginal RulesMod BusinessProcessMod Rules BP BusinessProcessNewBusinessRulesOriginal Business Process changes… Applicability Applicability Applicability Applicability RisksOriginal Applicability Applicability RisksMod Risk Toward Addressing Regulatory Change Management
2009 2011 2012 Annotate rule to task Rule deleted Risk Mitigation applicable to a rule r 1 r 2 r 1 2010 r 1 r 1 r 2 r 2 r31 … … … …r 2 r 3 r 3 o Formal norm change techniques to reason about what to change on regulations side o Rules can be embedded or treated as constraints on specific tasks, we used the latter
Manual Specification Implementation Technology in boldface Specification Language/format in Italics Legal Text Business Process Models Vocabulary EMF Ecore SBVR Editor Assurance Workbench TCS Rules Facts OMG SBVR Metamodel BPMN 2.0 DR-Prolog TuProlog DR-Prolog TuProlog Metainterpreter Interpretation Trace TuProlog Java Procedure Box Abstraction in Trace Success Rules and Facts Failure Rules and Facts Natural Language Explanation Queries with Apache Metamodel API XML Representation of SBVR FreeMarker API Natural Language Templates Implementation Architecture Various Models SEMILAR
Further Challenges in Compliance  Semantic Disparity o Creating vocabulary models of regulations and operational details is an intensive effort, but we think it will pay off, could use natural language processing for faster/aided creation of vocabularies o Domain taxonomies are often published by regulatory bodies, need to find ways to use these or map vocabularies to these for interoperability  Proof Explanation o Not just natural language, but consisting mainly of stakeholder- specific terms o Explanations not just of (non-) compliance, but reparation, and change suggestions  Change Management o When changing processes, how should they be changed? o How to carry out compliance incrementally for changed process for which compliance needs to be rechecked?
Conclusion  Regulatory compliance is a complex practical problem- abstraction and automation models can be immensely useful for enterprises in being compliant  Regulatory compliance poses interesting challenges requiring multi-paradigmatic models working together  Early work with SBVR vocabulary models, defeasible rule models, and business process models seems promising; need to improve/automate model making for each of these
Thanks! Questions? You can reach me at sagar.sunkle@tcs.com
BankType IdentityProof CustomerType DocumentType AddressProof obligatedTo Perform admits 1.. * hasRelated obtain 1.. * 1. .* DocumentSubmission 1..* RiskProfile hasRelated 1 hasRelated Process applicableTo 1.. * Processes Risk Regulations BranchType has RiskPerception isBasedO n 1.. * drives 1.. * DDDOfficer DueDillegenceActivity isCarriedOut By 1.. * 1.. * usedToMitigateAMLRis k 1..* Rules customerType_data(Customer_ID,Conditions...) customerType_KYC_document_data(Customer_ID,Conditions...) Low < Medium < High Prob(ML/FTevent, Consequence) customerRiskProfile( Customer_ID, Risk_Status) 1..*
Processing the Procedure Box Abstraction  Successful Procedure o We are interested in CALL EXIT pairs as shown on left o Remove successive CALL FAIL pairs indicating failed invocations o Failed invocations may occur at various depths, so recursively look for them and remove them  Failed Procedure o We are interested in CALL FAIL pairs as shown on right o Keep only successive CALL FAIL pairs and remove the rest o No need to recurse
Tailoring Proofs using Metainterpreter  Defeasible Metaprogram o A logic metaprogram simulates the proof theory of modal defeasible logic and reasons over the theory • The problem theory is expressed in terms of the metaprogram predicates • The metaprogram is a Prolog program  Trace using metainterpreter- leveraging procedure box abstraction o The metaprogram and problem theory is meta-interpreted to reveal procedure box for given query o Predicate invocation type- one of CALL, EXIT, FAIL, REDO o To obtain relevant rules and facts in a given successful and failed procedure, treat the box differently
Rule 1: Before opening an account, customer information must be obtained and verified. Rule 2: Whenever a customer requests to open a deposit account, customer information must be recorded before opening the account. Disparity between labels in formal regulations and operational specifics- Exhibits
November December Januar y February MarchAprilMay SBVR MM and M in RDF, queries using SPARQL for explanations and reparations; Business rules M to incorporate into domain M for generation of DR-Prolog rules; domain M assisted NLP for SBVR M generation; SBVR to BPMN Domain M assisted LDA for similarity; Layered rules for BP implementation simulation- with BPMN and 1st layer DR-Prolog, 2nd layer Drools, computation of degree of compliance without and with business objectives; simulation of sequence diagrams/use cases; relating regulation M to enterprise M Explanation of reparation, simulation of reparation to re-compute degree of compliance; relating ontology architecture to FIRO and FIBO Explanation of reparation, simulation of reparation to re-compute degree of compliance; relating ontology architecture to FIRO and FIBO

More Related Content

PPTX
Solving Semantic Disparity and Explanation Problems in Regulatory Compliance
byDr.-Ing. Sagar Sunkle
 
PPTX
Toward a holistic method for regulatory change management
byDr.-Ing. Sagar Sunkle
 
PDF
Generative AI for compliance An overview.pdf
byChristopherTHyatt
 
PDF
Most Comprehensive, Updated and Scalable Compliance Management Software Solut...
byLawrbit Lextech India Private Limited
 
PDF
Toward Better Mapping between Regulations and Operational Details of Enterpri...
byDr.-Ing. Sagar Sunkle
 
PPTX
From Laws and Regulations to Decision Automation
byDenis Gagné
 
PPT
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
PDF
Iv 4 Sp 12 Presentation 001
byIESS
 
Solving Semantic Disparity and Explanation Problems in Regulatory Compliance
byDr.-Ing. Sagar Sunkle
 
Toward a holistic method for regulatory change management
byDr.-Ing. Sagar Sunkle
 
Generative AI for compliance An overview.pdf
byChristopherTHyatt
 
Most Comprehensive, Updated and Scalable Compliance Management Software Solut...
byLawrbit Lextech India Private Limited
 
Toward Better Mapping between Regulations and Operational Details of Enterpri...
byDr.-Ing. Sagar Sunkle
 
From Laws and Regulations to Decision Automation
byDenis Gagné
 
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
Iv 4 Sp 12 Presentation 001
byIESS
 

Similar to Model-Driven Regulatory Compliance: A Case Study of “Know Your Customer” Regulations

PDF
Towards legally-compliant governmental case work with Dynamic Condition Respo...
byHugo Andrés López
 
PDF
BGRC Proposition November 2016
byZoe Bucknell
 
PDF
From Frameworks to Enforcement: Navigating Industry Standards and Codes
byAzpirantz Technologies LLP
 
PPTX
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
by360factors
 
PPTX
Regulatory Change Management
by360factors
 
PPTX
Real Time Process Compliance using Nomenclature Approach
byMurphy Choy
 
PPTX
Scrum and Compliance for Scrum Gathering Vegas (2013)
byLaszlo Szalvay
 
PDF
Compliance driven process development with DCR graphs
byHugo Andrés López
 
PPTX
Explanation of Proofs of Regulatory (Non-)Compliance Using Semantic Vocabularies
byDr.-Ing. Sagar Sunkle
 
PDF
RuleML2015: Explanation of proofs of regulatory (non-)complianceusing semanti...
byRuleML
 
PDF
How to accelerate your financial services compliance initiatives
byIBM Rational software
 
PPTX
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
byLexComply
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
byEarley Information Science
 
PDF
Terminology Matching of Requirements Specification Documents and Regulations ...
byInstitute of Science Tokyo
 
PPTX
Taming the regulatory tiger with jwg and smartlogic
byAnn Kelly
 
PDF
Lexcomply - Compliance Management Solutions
byLexComply
 
PDF
Business process compliance
byHugo Andrés López
 
PPT
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
byLean Startup Co.
 
PPTX
The Growing Importance of Governance, Risk, and Compliance in Modern Business...
bybidhanbarman2508
 
PDF
Regulatory Compliance Key Challenges and Effective Solutions.pdf
byMaveric Systems
 
Towards legally-compliant governmental case work with Dynamic Condition Respo...
byHugo Andrés López
 
BGRC Proposition November 2016
byZoe Bucknell
 
From Frameworks to Enforcement: Navigating Industry Standards and Codes
byAzpirantz Technologies LLP
 
REGULATORY CHANGE MANAGEMENT (RCM) In Environmental Health and Safety
by360factors
 
Regulatory Change Management
by360factors
 
Real Time Process Compliance using Nomenclature Approach
byMurphy Choy
 
Scrum and Compliance for Scrum Gathering Vegas (2013)
byLaszlo Szalvay
 
Compliance driven process development with DCR graphs
byHugo Andrés López
 
Explanation of Proofs of Regulatory (Non-)Compliance Using Semantic Vocabularies
byDr.-Ing. Sagar Sunkle
 
RuleML2015: Explanation of proofs of regulatory (non-)complianceusing semanti...
byRuleML
 
How to accelerate your financial services compliance initiatives
byIBM Rational software
 
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
byLexComply
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
byEarley Information Science
 
Terminology Matching of Requirements Specification Documents and Regulations ...
byInstitute of Science Tokyo
 
Taming the regulatory tiger with jwg and smartlogic
byAnn Kelly
 
Lexcomply - Compliance Management Solutions
byLexComply
 
Business process compliance
byHugo Andrés López
 
Balance Compliance and Experimentation by Joanne Molesky - The Lean Startup C...
byLean Startup Co.
 
The Growing Importance of Governance, Risk, and Compliance in Modern Business...
bybidhanbarman2508
 
Regulatory Compliance Key Challenges and Effective Solutions.pdf
byMaveric Systems
 

More from Dr.-Ing. Sagar Sunkle

PPTX
Practical Goal Modeling for Enterprise Change Context: A Problem Statement
byDr.-Ing. Sagar Sunkle
 
PPTX
Toward Structured Simulation of What-If Analyses for Enterprise
byDr.-Ing. Sagar Sunkle
 
PPTX
Toward Structured Simulation of Enterprise Models
byDr.-Ing. Sagar Sunkle
 
PPTX
Incorporating Directives into Enterprise TO-BE Architecture
byDr.-Ing. Sagar Sunkle
 
PPTX
Visual Modeling Editor and Ontology API-based Analysis for Decision Making in...
byDr.-Ing. Sagar Sunkle
 
PPTX
Intentional modeling for problem solving in enterprise architecture (ICEIS 20...
byDr.-Ing. Sagar Sunkle
 
PDF
Analyzing enterprise models using enterprise architecture-based ontology (MOD...
byDr.-Ing. Sagar Sunkle
 
PDF
Toward innovative model based enterprise IT outsourcing (NGEBIS CAISE 2013)
byDr.-Ing. Sagar Sunkle
 
Practical Goal Modeling for Enterprise Change Context: A Problem Statement
byDr.-Ing. Sagar Sunkle
 
Toward Structured Simulation of What-If Analyses for Enterprise
byDr.-Ing. Sagar Sunkle
 
Toward Structured Simulation of Enterprise Models
byDr.-Ing. Sagar Sunkle
 
Incorporating Directives into Enterprise TO-BE Architecture
byDr.-Ing. Sagar Sunkle
 
Visual Modeling Editor and Ontology API-based Analysis for Decision Making in...
byDr.-Ing. Sagar Sunkle
 
Intentional modeling for problem solving in enterprise architecture (ICEIS 20...
byDr.-Ing. Sagar Sunkle
 
Analyzing enterprise models using enterprise architecture-based ontology (MOD...
byDr.-Ing. Sagar Sunkle
 
Toward innovative model based enterprise IT outsourcing (NGEBIS CAISE 2013)
byDr.-Ing. Sagar Sunkle
 

Recently uploaded

PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
December Patch Tuesday
byIvanti
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The year in review - MarvelClient in 2025
bypanagenda
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 

Model-Driven Regulatory Compliance: A Case Study of “Know Your Customer” Regulations

  • 1.
    Model-Driven Regulatory Compliance: ACase Study of “Know Your Customer” Regulations Sagar Sunkle, Deepali Kholkar, and Vinay Kulkarni Tata Consultancy Services Research, India
  • 2.
    Compliance is adherenceto policies and decisions. Policies may originate in internal directives as well as external regulations.  Cost of Compliance o Increasing spend on compliance- in Billions of $ and expeceted to rise o Several regulations across various domains  Banking KYC [Know Your Customer], FATCA [Foreign Account Tax Compliance Act], BASEL III [Bank Capital Adequacy and Market Liquidity]  Mortgage CFPB [Consumer Financial Protection Bureau]  Healthcare HIPPA [Federal Health Insurance Portability and Accountability Act] o Compliance is difficult to achieve o It is uncertain in many cases what constitutes compliance o It is not clear how it will affect the business o It changes with time and space [geography-specific]  Non-compliance is penalized severely Regulatory Compliance Context
  • 3.
     Compliance checkingresearch o Checking whether processes comply with regulations based on given formalism o Siloed research in business process compliance checking, risk modeling, process change management Largely manual and expert-driven in practice  Industrial Governance, Risk, and Compliance (GRC) solutions o Based on tagging mechanisms- tag regulations to enterprise content (using domain-specific taxonomies when available) o Tagging itself is mostly manual, sometimes (semi-)automated o (Non-/Semi-) formal solutions means less rigorous • Less than 50% of enterprise content is correctly indexed • Multiple labeling and classification errors • Average cost of tagging an item ranges from $ 4.00 to $ 7.00 Current State of Art and Practice
  • 4.
     Semantic Disparity oBefore checking compliance, need to map regulatory concepts to enterprise operational concepts to find out to “what” in enterprise data a regulation is applicable to [in business processes “where” it is applicable] o Largely ignored/implicitly assumed in research approaches, industrial GRC solutions depend on domain experts  Explanation of Proofs of Compliance o An explanation which compliance officers/internal auditors and business stakeholders can use in a legally defensible way  Change Management for Regulations o Regulations change over time and with geography- need to keep operations compliant with changing regulations o Operations may change and need to re-comply with existing regulations Key Challenges
  • 5.
    Changes in Internal Controls Changed Processes Change Risks Inquiries/ Surveys Business ProcessModeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk use prevent, detect, correct, track associated Identify risks in ensure compliance with define fulfill enact in Integrating Research Silos with Conceptual GRC Model Vicente and da Silva: A Conceptual Model for Integrated Governance, Risk and Compliance. CAiSE 2011
  • 6.
    Changes in Internal Controls Changed Processes Change Risks Business ProcessModeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Using Purposive Models for Integrated Compliance
  • 7.
    Changes in Internal Controls Changed Processes Change Risks Business ProcessModeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Formal Model of Regulations SBVR Models of Regulation Concepts Using Purposive Models for Integrated Compliance
  • 8.
    Semantic Mapping and Proof Explanation Changes in Internal Controls Changed Processes Change Risks BusinessProcess Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Formal Model of Regulations Formal Model of Business Process SBVR Models of Regulation Concepts SBVR Models of Process Concepts Mapping Rule Integration Change Management Using Purposive Models for Integrated Compliance
  • 9.
    Semantic Mapping and Proof Explanation Changes in Internal Controls Changed Processes Change Risks BusinessProcess Modeling + Change Propagation Formal Compliance Checking + Norm Change Changes in Regulations and Standards Risk Modeling + Change Risk ensure compliance with fulfill Propagate to prevent, detect, correct, track associated Domain Metamodel Formal Model of Regulations Formal Model of Business Process SBVR Models of Regulation Concepts SBVR Models of Process Concepts Mapping Rule Integration Change Management Regulatory and domain concepts Using Purposive Models for Integrated Compliance
  • 10.
     Create formalvocabularies regulatory and operational concepts and map them to address Semantic Disparity  Use the vocabularies [specifically terminological dictionary] to capture natural language representation to address generation of Proof Explanation  Rematch/retag regulations to operational specifics using vocabulary and mappings, use formal representation of regulations to reason about Regulatory Change Addressing Regulatory Challenges with Model-driven Integrated GRC Architecture
  • 11.
    Regulation: “A discountof 10% is granted if the customer is a gold customer; 5% are granted if the customer is a silver customer.” Disparity between labels in formal regulations and operational specifics- Exhibits Petri Net Approach An event log describing the observed operational behavior is aligned with a Petri-net pattern that formalizes a regulation.
  • 12.
    Regulation: “A discountof 10% is granted if the customer is a gold customer; 5% are granted if the customer is a silver customer.” Disparity between labels in formal regulations and operational specifics- Exhibits Petri Net Approach An event log describing the observed operational behavior is aligned with a Petri-net pattern that formalizes a regulation.
  • 13.
    Regulation: “For paymentruns with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language CRG that formalizes a regulation.
  • 14.
    Regulation: “For paymentruns with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language that formalizes a regulation.
  • 15.
    Regulation: “For paymentruns with amount beyond euro 10,000, the payment list has to be signed before being transferred to the bank and has to be led afterwards for later audits.” + Event “payment list A is transferred to the bank” Disparity between labels in formal regulations and operational specifics- Exhibits Compliance Rule Graph-based Approach Events from operational event trace are checked against graph- based compliance rule language CRG that formalizes a regulation. The same observations can be made about other formal approaches- Defeasible logic, BPMN-Q, Pi-Calculus based compliance checking
  • 16.
    Building the Vocabularies Semanticsof Business Vocabulary and Rules (SBVR) Semantic model of formal terminology Business vocabulary o Semantic community and sub- communities owning the regulation and to which the regulation applies o Shared understanding of an area, i.e., body of shared meanings Meanings and characteristics o Categorical concepts with specific details as characteristics
  • 17.
    Mapping the Regulatoryand Operational Vocabularies Rules as Bodies of guidance o Logical formulations based on logical operations Terminological dictionary o Designations or alternate names for various concepts, definitions for concepts and natural language statements for policies stated in the regulation o capture the vocabulary used by the enterprise in its business processes or enterprise data Mapping rules to processes o Every verb concept in the regulation body of concepts is mapped to corresponding verb concept wording from the process terminological dictionary using similarity measures. o This mapping is used to look up consequent terms of rules and the corresponding process entity is treated as a placeholder for compliance implementation of the rule.
  • 18.
    Reserve Bank of India’sKnow Your Customer regulations for a salaried employee at a private employer opening an account at an Indian Bank Addressing Semantic Disparity- An example of banking domain regulation mapping to banking process Formal model [based on deontic, modal, defeasible logic]
  • 19.
    2009 Annotate rule totask r 1 r 2 … Customer account opening process (CAO process) KYC states customer acceptance policies (CAP) where different kinds of customers submit different identification and address documents which need to be checked- in the process above at the “review documents” task determined through vocabularies of CAP regulation and CAO process
  • 20.
    Success Facts forClient_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Client_ID 17 fulfills all Obligatory requisites. The processed trace shows facts in the successful invocation of rule r3. Addressing Natural Language Proof Explanation
  • 21.
    <containsConcepts xsi:type="SBVR.MeaningandRepresentationVocabulary:generalconcept"> <Id>pse</Id> <representation>pse_data</representation> <characteristic>notApprovedCorporate</characteristic> <characteristic>approvedCorporate</characteristic> <moreGeneralConcept>ind</moreGeneralConcept> </containsConcepts> </includesBodyOfConcepts> <includesBodyOfConcepts Id="RBI_KYCRegulationConcepts"> Business Vocabulary withCharacteristics Concept pse and its characteristics such as approvedCorporate are defined in the business context and also in the meaning and representation vocabulary. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
  • 22.
    <includesBodyOfGuidance Id="RBI_KYCRules"> <includesElementsOfGuidance Id="r3"> <Id>r3</Id> <isMeantByxsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:obligationformulation"> <antecedent xsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:conjunction"> <logicalOperand xsi:type="SBVR.LogicalFormulationofSemanticsVocabulary:atomicformulation"> <Id>ind</Id> <isBasedOn>client_is_ind</isBasedOn> </logicalOperand> … </isMeantBy> </includesElementsOfGuidance> </includesBodyOfGuidance> Business Rules Vocabulary The rules vocabulary notes the rules and concepts involved. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
  • 23.
    <SBVR.VocabularyforDescribingBusinessVocabularies:ComplianceModel> <contains Id="RBI_reference"> <presentsVocabulary Id="RBI_RegulationVocabulary"/> <expressesBodyOfMeaningsId="RBI_KYCRegulation"/> <includes xsi:type="SBVR.VocabularyforDescribingBusinessVocabularies:owneddefinition"> <Id>approvedCorporate</Id> <expression>Employer_is_a_corporate_approved_by_the_bank</expression> <meaning>approvedCorporate</meaning> </includes> <includes xsi:type="SBVR.VocabularyforDescribingBusinessRules:rulestatement"><Id>r3_stmt</Id <expression>It_is_obligatory_for_bank_to_obtain_requisite_documents_Including _approved_employer_certificate_and_additionally_at_least_one_valid_ document_ from_individual_who_is_a_private_salaried_employee _in_order_to_open_account” </expression> <meaning>r3</meaning> </SBVR.VocabularyforDescribingBusinessVocabularies:ComplianceModel> Terminological Dictionary The terminological dictionary contains the natural language representation of the rule in addition to process concepts. Success Facts for Client_ID 17 [ fact(client_data(17,ind,pse))., fact(pse_data(17,approvedCorporate))., fact(pse_KYC_document_data(17,acceptApp rovedCorpCertificate,pse_kyc_document_set )). ] Success Rule r3 Addressing Natural Language Proof Explanation
  • 24.
     Query SBVRmodel in XML  The projected results are filled into templates  Template above is filled in with o Rule ID, rule statement [From the terminological dictionary and rules vocabulary respectively], o Type of concept (in the case study, a banking customer), specific instance, description, and its ID [From the business context and meaning and representation vocabulary] Constructing Natural Language Explanation As per rule _, _. For current _that is _; _. Therefore compliance is achieved for current _ _.
  • 25.
     This givesa natural language statement like the following-  Similar statement can be constructed whenever obligations are violated in specific instances. Constructing Natural Language Explanation
  • 26.
    Toward Addressing RegulatoryChange Management  Regulations change o As the regulatory body strives to bring more scenarios under regulatory umbrella o Enterprise operations evolve independent of specific regulations and need to be kept in sync with already compliant regulations
  • 27.
    Evolution of KYCfrom 2008-2014- Kinds of Banking Customers
  • 28.
    Evolution of KYCfrom 2008-2014- Kinds of Documents to be Submitted for KYC
  • 29.
    Evolution of KYCfrom 2008-2014- Kinds of Due Diligence Activities Banks Must Perform
  • 30.
    Evolution of KYCfrom 2008-2014- Kinds of Risks RBI warns Banks to Take Care of
  • 31.
    Existing Techniques Integrated Regulatory Changes Integrated Process Changes RisksNewBusiness RulesOriginalBusinessProcessOriginal RulesMod BusinessProcessMod Rules BP BusinessProcessNewBusinessRulesOriginal Business Process changes… Applicability Applicability Applicability Applicability RisksOriginal Applicability Applicability RisksMod Risk Toward Addressing Regulatory Change Management
  • 32.
    2009 2011 2012 Annotate rule totask Rule deleted Risk Mitigation applicable to a rule r 1 r 2 r 1 2010 r 1 r 1 r 2 r 2 r31 … … … …r 2 r 3 r 3 o Formal norm change techniques to reason about what to change on regulations side o Rules can be embedded or treated as constraints on specific tasks, we used the latter
  • 33.
    Manual Specification Implementation Technology in boldface Specification Language/formatin Italics Legal Text Business Process Models Vocabulary EMF Ecore SBVR Editor Assurance Workbench TCS Rules Facts OMG SBVR Metamodel BPMN 2.0 DR-Prolog TuProlog DR-Prolog TuProlog Metainterpreter Interpretation Trace TuProlog Java Procedure Box Abstraction in Trace Success Rules and Facts Failure Rules and Facts Natural Language Explanation Queries with Apache Metamodel API XML Representation of SBVR FreeMarker API Natural Language Templates Implementation Architecture Various Models SEMILAR
  • 34.
    Further Challenges inCompliance  Semantic Disparity o Creating vocabulary models of regulations and operational details is an intensive effort, but we think it will pay off, could use natural language processing for faster/aided creation of vocabularies o Domain taxonomies are often published by regulatory bodies, need to find ways to use these or map vocabularies to these for interoperability  Proof Explanation o Not just natural language, but consisting mainly of stakeholder- specific terms o Explanations not just of (non-) compliance, but reparation, and change suggestions  Change Management o When changing processes, how should they be changed? o How to carry out compliance incrementally for changed process for which compliance needs to be rechecked?
  • 35.
    Conclusion  Regulatory complianceis a complex practical problem- abstraction and automation models can be immensely useful for enterprises in being compliant  Regulatory compliance poses interesting challenges requiring multi-paradigmatic models working together  Early work with SBVR vocabulary models, defeasible rule models, and business process models seems promising; need to improve/automate model making for each of these
  • 36.
    Thanks! Questions? You can reachme at sagar.sunkle@tcs.com
  • 40.
    BankType IdentityProof CustomerType DocumentType AddressProof obligatedTo Perform admits 1.. * hasRelated obtain 1.. * 1. .* DocumentSubmission 1..* RiskProfile hasRelated 1 hasRelated Process applicableTo 1.. * Processes RiskRegulations BranchType has RiskPerception isBasedO n 1.. * drives 1.. * DDDOfficer DueDillegenceActivity isCarriedOut By 1.. * 1.. * usedToMitigateAMLRis k 1..* Rules customerType_data(Customer_ID,Conditions...) customerType_KYC_document_data(Customer_ID,Conditions...) Low < Medium < High Prob(ML/FTevent, Consequence) customerRiskProfile( Customer_ID, Risk_Status) 1..*
  • 41.
    Processing the ProcedureBox Abstraction  Successful Procedure o We are interested in CALL EXIT pairs as shown on left o Remove successive CALL FAIL pairs indicating failed invocations o Failed invocations may occur at various depths, so recursively look for them and remove them  Failed Procedure o We are interested in CALL FAIL pairs as shown on right o Keep only successive CALL FAIL pairs and remove the rest o No need to recurse
  • 42.
    Tailoring Proofs usingMetainterpreter  Defeasible Metaprogram o A logic metaprogram simulates the proof theory of modal defeasible logic and reasons over the theory • The problem theory is expressed in terms of the metaprogram predicates • The metaprogram is a Prolog program  Trace using metainterpreter- leveraging procedure box abstraction o The metaprogram and problem theory is meta-interpreted to reveal procedure box for given query o Predicate invocation type- one of CALL, EXIT, FAIL, REDO o To obtain relevant rules and facts in a given successful and failed procedure, treat the box differently
  • 43.
    Rule 1: Beforeopening an account, customer information must be obtained and verified. Rule 2: Whenever a customer requests to open a deposit account, customer information must be recorded before opening the account. Disparity between labels in formal regulations and operational specifics- Exhibits
  • 44.
    November December Januar y February MarchAprilMay SBVR MM andM in RDF, queries using SPARQL for explanations and reparations; Business rules M to incorporate into domain M for generation of DR-Prolog rules; domain M assisted NLP for SBVR M generation; SBVR to BPMN Domain M assisted LDA for similarity; Layered rules for BP implementation simulation- with BPMN and 1st layer DR-Prolog, 2nd layer Drools, computation of degree of compliance without and with business objectives; simulation of sequence diagrams/use cases; relating regulation M to enterprise M Explanation of reparation, simulation of reparation to re-compute degree of compliance; relating ontology architecture to FIRO and FIBO Explanation of reparation, simulation of reparation to re-compute degree of compliance; relating ontology architecture to FIRO and FIBO

Editor's Notes

  • #18 TD Various representations used by a semantic community for its concepts and rules Each activity in the process becomes a verb concept wording in the
  • #43 Trace using interpreter such as XSB Existing work tailors the trace of interpretation