CDI: Harnessing the Value of Enterprise Data
Part 5 – Compliance — Data Quality and Beyond |
|
By Innovative Systems' R. Jeffrey Canter
DM Direct, July 16, 2004 |
|
| In the first four articles of this series, we discussed some of the essential building blocks of customer data integration, the importance of data quality, how to select the right data quality solution to meet your organization's unique business needs and how to implement your data quality solution in a way that achieves both technological and business objectives. |
|
| In this segment, we'll review the role of data quality in addressing an increasingly important issue that impacts a wide variety of business functions, including operations, marketing, customer relations, investor relations, risk management, corporate governance and profitability. That issue is regulatory compliance. |
|
| We will look at some of the real-world challenges to achieving compliance and examine how effective data quality management can help overcome those challenges. |
|
Coping with the Expanding Compliance Landscape
The number and scope of compliance regulations have increased dramatically over the last few years — and are likely to continue to increase in the future. Among the key regulations organizations must address are the U.S.A. Patriot Act, Treasury Department's Office of Foreign Assets Control (OFAC) and Bank Secrecy Act to fight terrorism and money laundering; Sarbanes-Oxley for corporate governance and executive responsibility; Basel II for risk management; HIPAA for medical privacy; and state and federal Do Not Call legislation for telephone privacy. |
|
| Because many organizations perceive compliance primarily as a cost center, often their objective is to meet the requirements with the least possible expense and impact on overall operations. Unfortunately, compliance departments are often downstream from key business functions and have little authority over important data management decisions that directly impact their ability to fulfill compliance requirements. |
|
Patchwork Solutions Leave Organizations at Risk
In their attempts to minimize their compliance investments, many organizations have developed a patchwork solution that combines homegrown components with a myriad of vendor solutions that have been purchased to meet various regulatory requirements. As a result, the organization's IT or compliance department is charged with tying all the pieces together and keeping them running as smoothly as possible, in spite of ongoing changes in regulatory and operational needs. |
|
| Too often, this kluge leaves major gaps in such areas as processing capability, accuracy, reporting, record-keeping and overall accountability. The risks of non-compliance — including substantial fines and/or imprisonment — are significant. Even more devastating is the potential of negative publicity and brand damage that could result from doing business with a person or company on a watch list or providing investors and analysts with fraudulent financial information. |
|
A Common Compliance Thread: Data Quality
One common element is required for successful compliance among the mandates mentioned above: quality data. Regardless of how sophisticated and powerful an organization's compliance solution may be, ultimately, it can be only as good as the data it is processing. |
|
| Inaccurate customer data will inevitably lead to errors in matching against suspect and Do Not Call lists as well as failures in maintaining patients' medical privacy. Faulty financial or analytical data will leave CEOs and CFOs at risk of signing off on erroneous financial statements. |
|
| The old IT axiom still applies: "Garbage in, garbage out." If you are not sure that the data fed to your compliance engine is accurate, how can you have confidence in the results? To illustrate this, let's look at how data quality can impact compliance effectiveness in the high-profile areas of anti-terrorism and Sarbanes-Oxley. |
|
Data Quality and Anti-Terrorism Compliance
As the government's definition of financial institutions expands to include a variety of organizations that perform financial transactions, a growing number of industries are being required to compare their customers and transactions against lists of suspect individuals, blocked foreign countries, terrorism-sponsoring groups and international narcotics traffickers. Screening directives previously required only of banks and insurance companies now impact brokerage firms, automobile dealers and gambling establishments — and the list of affected industries continues to grow. |
|
| In general, these industries are required to screen all customers and customer transactions against government-provided lists of suspected terrorists, money launderers and other criminals. On the surface, that may seem like a relatively straightforward operation. But consider the real-world challenges that must be overcome to successfully meet those requirements: |
|
• |
|
Size, Number and Complexity of Customer and Administrative Systems - For many large organizations, with multiple locations and customer contact portals, one of the primary obstacles to successful compliance is the overwhelming size and complexity of their IT infrastructure. The solution they choose must be robust and powerful enough to accurately match millions of customer records from a number of disparate legacy databases. |
|
|
|
• |
|
Differing Data Formats - Processing millions of records a day is difficult enough when all the records are in a consistent format — but for compliance purposes, they usually are not. While an organization is able to control the way in which its customer data is formatted, it cannot control the formatting of the suspect lists. Unfortunately, these outside lists are not consistently formatted, making matching them against an organization's internal customer list difficult. |
|
|
|
• |
|
Differing Quality Standards - In addition to the formidable task of trying to match lists of varying formats, in many cases, the quality of the data itself can be an obstacle. Even in relatively well-maintained databases, it is not uncommon to find name, address or extraneous information such as legal titles or descriptive phrases located in the wrong fields. |
|
|
| And even if the quality of the organization's own customer data is excellent, it must be matched against government-provided lists that include mixed nationality data, names in both first/last and last/first name order, aliases, multiple names embedded in the same record and other anomalies. |
|
• |
|
Matching Technology - Matching accuracy is critical to the effectiveness of a compliance solution, and both over-matching and under-matching can be costly. Yet the sophistication of matching technologies currently on the market varies widely. The U.S.A. Patriot Act requires that each potential match be thoroughly investigated to determine whether or not it is a true match. This can become time-consuming and expensive, especially if the number of "false positives" (those records that are mistakenly identified as a match) is high. Missed matches can be even worse, potentially resulting in non-compliance - and substantial fines, imprisonment or negative publicity. |
|
|
|
• |
|
Auditing and Reporting Requirements - In addition to performing the required screening, organizations must be able to document the screening process and how the potential matches were investigated and resolved. Generating and maintaining this documentation can create an additional burden on the organization's manpower, IT resources and budgets. |
|
|
|
• |
|
Continual Introduction of New Laws and Suspect Lists - Indications are that today's international compliance legislation is only the beginning. It is likely that we are going to see more laws, more stringent screening requirements and more suspect lists to screen against. A solution designed to meet today's legislation and list matching needs is likely to become obsolete in a short period of time. |
|
|
Case in Point: Patchwork Solution Leaves Organization
at Substantial Risk
As an example of how a patchwork compliance approach can go seriously wrong, I know of one major brokerage firm with locations throughout the U.S. that is requiring all of its offices to send their customer lists to its New York headquarters for compliance processing. The company obtains its suspect lists for matching from a vendor that performs little, if any, data quality processing on the suspect lists prior to delivery. |
|
| The customer lists arrive at the headquarters in a multitude of formats and levels of quality. The company's licensed matching software was not designed to handle data in varying formats, so consequently it frequently over- and under-matches since it cannot accurately identify matches. And because the matching software is not able to automatically consolidate these numerous customer lists into a reliable list of unique customer profiles, the organization spends significant time manually reviewing the output and attempting to correct problems. If the lists are not accurately cleansed, the result is that a faulty customer list is used for matching against the suspect lists. |
|
| This approach lacks an effective way to identify and eliminate duplicate customer records across branches, so therefore the company cannot effectively or reliably compare its customers against the government-provided sanction lists. And if matches against the suspect list do require review, the branch offices have no way of accessing the data to provide informed input. |
|
| This organization's compliance processes have been pieced together over time and are not designed to effectively address its compliance requirements of today. As a result, the firm is running weeks — probably now months — behind in screening its customers against the mandated sanction lists, and the organization as a whole is at substantial risk of non-compliance. |
|
Characteristics of an Effective Compliance Solution
Now that we've discussed the challenges to successful anti-terrorist compliance, let's look at the basic elements of an effective compliance solution. Here are some important characteristics you should look for: |
|
• |
|
Powerful, Robust Processing Capabilities - To meet the processing demands of millions of customer records and transactions, the solution selected must be powerful, robust and extensible. It should have the processing capacity and flexibility to serve multiple functions and adapt to changing demands, without the delays and expense related to a major system overhaul. |
|
|
|
• |
|
Data Quality Management Capability - For efficient and accurate matching, a compliance solution must be able to compare consistent data elements against each other. It should be able to cleanse, parse and standardize the organization's customer data as well as the data in the government-provided suspect lists. Transforming all the records to the same format and eliminating anomalies and errors will greatly enhance matching accuracy and speed. |
|
|
|
• |
|
List Management and Monitoring Service - Staying current with the required suspect lists and latest updates can be a nightmare. A quality compliance solution vendor will offer list management and updating services as part of their overall package. |
|
|
|
• |
|
Advanced Matching Technology - The matching software should be powerful enough to be able to identify potential duplicate records even when the data includes misspellings, character transpositions, aliases, acronyms, data extensions and missing entries. The goal is to minimize the time and costs required for reviewing false positives, while ensuring that no valid suspect match or transaction slips through unidentified. |
|
|
|
• |
|
Auditing and Reporting Capability - As part of its processing, the solution should maintain a detailed audit trail of all records screened and potential matches investigated during a time period determined by the organization. It should also be able to provide a full battery of auditing and case management reports. |
|
|
| To protect your organization against non-compliance, look for a compliance solution that includes — at minimum — data quality management of both suspect and customer lists; matching technology that is powerful, sophisticated and flexible; and built-in reporting and audit trail capabilities. |
|
Data Quality and Sarbanes-Oxley Compliance
Sarbanes-Oxley (SOX) presents another good case study on the importance of data quality in compliance initiatives. Although data quality plays a somewhat different role in SOX compliance, it is critical to achieving compliance success. |
|
| In general, SOX focuses on three key areas of corporate governance: |
|
• |
|
Section 404 - the integrity of the organization's
financial systems |
|
|
|
• |
|
Section 302 - the timeliness and accuracy of financial reporting |
|
|
|
• |
|
Sections 404 and 409 - improved monitoring to detect fraud |
|
|
| One of the key provisions of SOX is that it places responsibility for the integrity of the organization's finances and the accuracy of its financial disclosures squarely on executive management's shoulders. While SOX does not really mandate new responsibilities for CEOs and CFOs, it does impose severe penalties — including jail time — for negligence or failure to perform those responsibilities. |
|
| More specifically, SOX requires CEOs and CFOs to examine, verify and confirm the accuracy of financial statements and information from across the organization. In order to execute these responsibilities, executive management needs detailed enterprise data. Financial information from multiple sources and applications must be collected, consolidated, reviewed and authenticated. |
|
To ensure compliance with SOX, data accuracy and integrity are
critical. Accounting practices and procedures can be reviewed. Calculations can be checked and double-checked. But how good is the underlying data itself? |
|
| Is the data reliable enough to support sound business decision making? Can the CEO and CFO be fully confident in the accuracy of the information they are personally confirming? Do they have to trust IT or the data's business owners regarding its integrity — or can they verify that integrity for themselves? These are all questions that must be answered with confidence. |
|
Automated Data Profiling - An In-Depth Picture
of the Data Itself
Automated data profiling provides a fast, simple and economical way to evaluate and verify the data's integrity or to identify quality issues within the data that must be addressed. It presents an accurate, detailed profile of the organization's total data asset — including structure, content, descriptions, values, formats, frequencies, patterns, ranges, keys and joins. These results can be used to enhance SOX compliance by: |
|
• |
|
De-risking data consolidation and integration |
|
|
|
• |
|
Providing valuable analytical information and
business intelligence |
|
|
|
• |
|
Identifying quality problems that may impact analysis results and decision making |
|
|
|
•
|
|
Enabling business users — including CEOs and CFOs — to
see and understand the true quality of the data for which they are responsible |
|
|
| SOX puts executives' careers on the line regarding the truth and accuracy of financial and accounting statements. Automated data profiling helps to assure that the underlying data of those statements is accurate and reliable. |
|
A Better Approach: Implementing a
Quality-Driven Compliance Regime
Few issues are higher profile than compliance. The number and scope of compliance regulations have increased dramatically over the last few years — and are likely to continue to increase in the future. To be successful, organizations serious about compliance must also be serious about data quality because at the core of any reliable screening and compliance program is quality data. |
|
| Organizations that have pieced together their compliance process should carefully review its design and audit its results to ensure that the process that has developed over time is up to the task of meeting the company's current requirements. In particular, organizations that plan to use existing data quality software for their compliance efforts must carefully examine the software's ability to effectively extend its rules and processing capabilities in order to provide mission-critical and compliance-specific capabilities, without which the entire compliance process could be undermined. |
|
What's Next ...
In this series we have presented best practices for customer data management, particularly how to ensure highly accurate and reliable customer data throughout the enterprise. Our next article will address how these important data management strategies can be leveraged to develop an effective enterprise customer data integration process. |
|
| Organizations face daunting data challenges when attempting to integrate customer information from multiple application systems in an effort to create an enterprise customer view for improved cross-departmental decision-making. As a result, most organizations settle for managing a network of incomplete and differing 'master' customer databases. Not only is this fractured approach costly, it undermines most of the organization's critical business development initiatives. The next — and last — article of this series will discuss how to successfully integrate and leverage enterprise customer data — and the significant business benefits to be gained by doing so. |
|
Article published in DM Direct Newsletter, July 16, 2004 Issue |
|
| Go to: Part 1 - Part 2 - Part 3 - Part 4 - Part 5 - Part 6 |
|
|
