Understanding Risk Mitigation in a Platform and API Economy


page image

RegTech Platform--Achieve Horizontal Governance in eGRC with an Ecosystem of Data and a Network of Applications

Horizontal Governance Using Platform Tech

By Frank Cummings, CEO of AML Partners • Gerald Hayden, IBM Global Banking and Financial Markets Center of Competency •Daniel Bingham, IBM Watson, Industry Platforms

For years we’ve talked about horizontal governance, managing enterprise risk, and achieving near-automated Compliance. Innovation in platform technology now delivers the ability to execute these critical work processes—an innovation that counters decades of ineffectiveness, inefficiency, and the spiraling cost of technical debt.Unlike traditional vertical solutions and applications, platforms enable connectivity to any application with an API, and they make possible the creation and use of an Ecosystem of Data.

A ‘Network of Applications’ Via APIs

One of the crucial advances provided by platforms is the ability to add any functionality to the platform through API configurations—in essence creating a Network of Applications. This functionality can transform separate and serial workflows into integrated and responsive work processes. Contrast that with the misery and expense of complex, costly, and time-consuming custom integrations that cannot easily be upgraded.

For example, with API installations and configured workflows, a RegTech platform provides the single software platform for an institution’s Network of Applications that could include end-to-end AML/CTF compliance, its CECL workflow, a workflow for compliance with the Foreign Corrupt Practices Act, its vendor management system, and whatever else is needed. And with platform infrastructure supporting both RESTful and binary APIs, users have nearly endless opportunities for third-party automation, customization, and extension.

The Event Library and an ‘Ecosystem of Data’

Today’s platform technology also delivers a level of Business Process Management that provides the ability to monitor any piece of data or data sets for the occurrence of—or the lack of—any event across the enterprise. And because of unique platform architecture that does not touch production, the Event Library leverages all of the institution’s otherwise siloed data. Configured within a platform’s Event Library, this data monitoring directly tracks Key Risk Indicators (KRIs) which, via an Action Library, become actionable at Customer and Employee levels.

With regulatory environments continually evolving, the Event Library provides extraordinary value and flexibility to users. By predefining KRIs by function in the Event Library, users can now maintain near-real time compliance or governance in any database to which they have access—and they can expand or adapt their Event Library data monitoring and action triggers as often as needed.

Additionally, since the platform architecture facilitates access to the Ecosystem of Data without touching production, this allows for the full potential of AI and cognitive ability to be quickly added to an enterprise both strategically and in a measured manner.

One example of this would be to incorporate both entity financial performance measurements as well as KYC in a single workflow. Other examples would be to facilitate new “exhaust data” segmentation models or better process outcomes of new, highly accurate ID Management technologies. Using short lines of code means adding API platform flexibility in ways that will often only be limited by one’s imagination.

Horizontal Risk Management and Governance

The Event Library functionality that leverages the platform’s Ecosystem of Data also applies to Risk, but platforms also provide the ability to take risk management to the next level. Specifically, a platform enables horizontal risk management, i.e. managing risk across the entire enterprise through a standard interface—with the Event Library continually monitoring risk through pre-defined governance and compliance workflows. The strength of this actionable approach lies not only in the the ability to control Risk but also in the ability to measure Risk-management performance.

Another promise of the platform is that the user community no longer needs to be shackled by technology limitations when making business decisions. This is because platforms facilitate the addition of other services that can be added to the platform’s Network of Applications through binary APIs that allow the extension of the platform by authorized users in the user community. This not only facilitates the transition to anyone becoming a Data Scientist and reducing the cost pressures on IT, but it also it connects Levels 1, 2, and 3 Risk Management Control and Performance.

With these levels of functionality and the ability to achieve comprehensive Horizontal Governance, a key platform feature is a robust permissions system. For example, Risk items in an Event Library are permissioned. This means that if you are not within the Employee Risk Mitigation group or other authorized group, you cannot see Risk Events (e.g. Sarbanes Oxley Act Separation of Duties). The only exceptions are Internal Audit and in some cases Level 2 Risk Governance. Other users such as product managers can be permissioned based on internal security procedures so that they see events in their respective functional areas.

This is important because Internal Controls are used to determine whether users achieve horizontal governance, and whether they achieve horizontal compliance. In other words, this facilitates permission-based transparency with the ability to control and determine performance of Risk Management. This not only enables Centralized Authority, it allows the Control and Performance of distributed accountability. In an unprecedented fashion, meeting regulatory requirements and the actual business need(s) become one in the same workflow motion, real-time.

Examples of Platform-based eGRC

The following examples illustrate some of these platform capabilities across an enterprise:


An authorized user can configure a pre-audit event within the Event Library to verify that the reconciliations between the core payment systems and the AML system have reconciled since the last audit. In this case, the Event Library would be configured to automatically check where those reports are stored and validated and to trigger an action to email the Auditor to advise regarding non-compliance. Equally important is that Internal Auditor time is maximized via automation.


An example of a compliance event in the Event Library would be to validate that the entity type selected by the KYC analyst is the same that is listed at LEI.org or any other verification service. If those entity types did not match, one of many actions could be triggered depending on the institution. One could configure the system to automatically create a case to determine why the analyst did that. Alternately, the Event Library could trigger an email to the supervisor or even call both the analyst and the supervisor’s phone numbers with an automated message. The Event Library could even be configured to close the account and refer the record to Compliance for further processing.

•Board of Directors

Users could configure the system to set up an event to monitor a specific directory and then email those documents to the appropriate Board Committee (or other Governance body), as needed.  All of this is managed by the Directory, which can be configured in any manner.


An event could be configured that, based on conditions, would send emails to required employees to begin to process or stop processing payments to or from any individual or entity. This automated process would help maintain compliance with the provisional-approval rule that allows operations to process payments while documents pertinent to the USA PATRIOT Act are being collected. At expiration of the provisional approval, an automated email is sent to those individuals to stop processing payments until that customer is accepted. Once acceptance is finalized, another email can go to those individuals to again process payments.

Innovation for Efficiency, Effectiveness, and Horizontal Governance

Technology platforms can transform an institution’s effectiveness and efficiency in eGRC. By creating both an Ecosystem of Data and a Network of Applications,a technology platform can mitigate the need to forklift legacy infrastructure and instead allow institutions to gain immediate benefits by modernizing at a much lower cost. Institutions may then replace legacy systems as time and budget become available.

Moreover, platforms will continue to add important new functionality to boost the efficiency and effectiveness of horizontal governance. For example, an upcoming feature is natural language processing (i.e. talking to your computer, or mobile device).  With this, a User will be able to walk into a Risk meeting and speak into his cellphone “Give ‘MY Risk Picture.’” The system will process the request and send whatever near-real time reports, graphs, pictures, etc. that have been pre-defined for that User’s account as “MY Risk Picture”—and it can transmit it to any other members present at the meeting.

Because the platform offers an Ecosystem of Data and a Network of Applications, it can connect anything to anything by adding more micro-services, applications, or even other platforms—and this can be accomplished in hours and days, not weeks and months. Welcome to Platforms and the API Economy—and the opportunity for full Horizontal Governance.




Global Software Ecosystem for AML/CTF and BSA/AML

The stakes of global AML Compliance for AML/CTF and BSA/AML are higher than ever. Contact us today to explore how our end-to-end AML Ecosystem SURETY Eco and the SURETY modules –powered by the RegTech One platform–can transform the efficiency and effectiveness of your unique AML Compliance efforts. SURETY Eco includes fully integrated modules for CDD/KYC on-boarding, behavior/transaction monitoring, and sanctions screening. And AML Partners simplifies your end-to-end fully integrated AML Compliance efforts even further with an optional Subpoena Search module for FinCEN 314a and similar subpoena searches. Contact us today to learn more or schedule a demo of SURETY Eco, the AML Ecosystem powered by the RegTech One platform. With extraordinary configurability and built for API extensibility, the RegTech One platform powers not only an end-to-end AML ecosystem but also CECL workflows, vendor management, cyber risk workflows, FCPA workflows, and so much more.

SURETY Eco end-to-end AML software ecosystem