Intelligent surveillance - the death of random review?

In a survey of board directors of US public companies conducted by Directorship Search Group and RHR International, the cost of compliance with Sarbanes-Oxley alone was estimated at $16 million per company per year. In 2007, Basel II comes into force and introduces new regulations for identifying, assessing, measuring and controlling risks in the banking sector. The IT project supporting compliance has been described by the Economist Intelligence Unit as "more complex than Y2K and Euro projects".

Companies are starting to realize that compliance cannot become a money pit: it cannot be an expensive box-ticking exercise. It must be seized as an opportunity to improve internal governance, so that the cost of compliance delivers a return on investment in improved management and planning and assured business continuity. Companies also need to introduce systems that can easily be adapted to cope with future regulatory changes. While the nature of future regulation amendments is uncertain, their occurrence is guaranteed.

One major investment bank has been given the green light from the National Association of Securities Dealers (NASD) to use a new method of supervising communications. NASD rules stipulate that: "each member shall establish procedures... for the review by a registered principal of incoming and outgoing written and electronic correspondence of its registered representatives with the public relating to the investment banking or securities business of such member". The rules aren't specific about how this should be achieved, but given the volume of communications banks deal with, random sampling is the best most can do. Conventional wisdom is that banks should be sampling about 5 per cent of emails, but they typically only manage to review a tenth of that. One bank said, "to review 5 per cent of our emails, we would need to have ten people working 24 hours a day, seven days a week and reviewing an email every five seconds". The bank in our example sends and receives one million emails a day.

Random sampling isn't an efficient way to supervise staff. Firstly, white collar criminals could use the company's email system with 99.5 per cent confidence their communication won't be intercepted. Employees can continue committing regulatory breaches. By the time the evidence is discovered in the communications archive as a result of an investigation it's too late: the damage is done and the evidence is in the company's data vaults.

Secondly, a day spent reviewing golf club invites, compliant business emails, spam and office humor is a waste of experienced compliance officers' time. Making them speed-read irrelevant emails will demotivate and exhaust them, and could interfere with their ability to spot real compliance breaches that do cross their screens.

For these reasons, the bank in question has abandoned random sampling and is meeting its review obligations using policy enforcement, a technology that detects and stops policy violations before they occur. This "active policy management" approach enables the bank to review 100 per cent of the emails that present a compliance risk, without wasting time reviewing others. The software enforces policy by analyzing the words, context and meaning of emails, instant messages and other electronic communications, including those made through Bloomberg terminals and handheld devices such as the BlackBerry. Any messages that breach regulations or corporate policy – including theft or leakage of intellectual property – are flagged for review and blocked before they are sent.

Active policy management is superior to alternative lexicon-match technologies in a number of ways. For example, lexicon-match processes are unable to determine context: they would be confused by the difference between "laundering" a shirt and "laundering" money. These technologies enable exception-based review, but aren't smart enough to eliminate enough background noise. Lexicon-matching systems can flag as much as 5 per cent of the total email, of which only 5 per cent justify review.

Because active policy management technologies analyze not just the content of the message, but also its meaning (its concept) and who is communicating with whom about what at what time (the context), false positives are eliminated.

The end result is that the institution continues to sample a percentage of its electronic communications: the difference is that the sample is chosen according to those communications most worthy of review, rather than being picked at random.

While companies and their regulators share the goal of protecting businesses, investors and markets from the enemy within, it's natural for companies to fear the forces that can shut them down. So far, they've been lucky. Regulators have been forced to wait for tip-offs or leads from compliance departments, auditors or investors before they can swoop in for the kill.

But nobody knows what "smoking guns" might be hidden in the communications archive. Some argue it doesn't matter because nobody has the resources to trawl the ever-growing archive looking for them, and the odds of discovering an offense through random sampling are slim.

This will change. It's easy to foresee a time when regulators will use technology in place of whistleblowers to provide the 'tip-off' they need. In the same way that companies can use active policy management software to focus their attention on communications that risk breaching regulatory guidelines before they take place, regulators could use intelligent surveillance applications to mine the archives for evidence of policy breaches. These applications process the communications archive, applying policies retrospectively to identify potential breaches that took place in the past. Like policy enforcement tools, intelligent surveillance tools analyze the content, context and concept of old messages to find those that are likely to be non-compliant.

The SEC is already making plans to process the stacks of paperwork it handles relating to active investigations in this way. "All the tools that we're deploying will allow the attorney to find similar concepts using different vocabulary, recognize patterns in the way emails are exchanged, and other, more-advanced kinds of analysis," says R. Corey Booth, the SEC's chief information officer. "One can only imagine how much more productive this will make us."

As well as the burden of increasing regulation, companies will face increasing determination by regulators to enforce existing regulation in full. Booth, who was appointed in January 2004, has led the development of a five year plan that includes the electronic searching and retrieval of scanned documents and the possible use of Extensible Business Reporting Language (XBRL) for filings. The aim is to use advanced analytical tools to spot apparent irregularities before they become problems, and direct investigative resources towards them. The IT infrastructure has been upgraded to handle the 30 to 50 terabytes of data that Booth expects the SEC to amass over the next year. The IT review has been prompted at least partly by the Sarbanes-Oxley Act, which stipulates that the SEC must review the filings of a third of the companies it regulates each year.

Use of more intelligent technology will enable the regulator to become more aggressive and more successful at spotting crime. Human resources previously engaged in fishing for evidence can now be directed to study questionable data, ensuring that less time and money is wasted while the valuable work of protecting the economy goes on.

It's thought-provoking to wonder what would happen if the regulators were privatized and effectively paid for performance. How much more motivated would that make them? How much more would they invest in developing and deploying IT that can forensically examine business data to isolate evidence of offenses? While the penalties meted out to corporate criminals often fall a long way short of the costs incurred in prosecuting them, one day we might see government rewarding independent regulators for successful prosecutions. Regulators would be motivated to find all breaches, and the government would be confident all its outlay was spent on investigations that conclude successfully and so offer greatest protection to the market.

Thought-experiments in privatization aside, the threat posed by regulation will increase. It threatens budgets through the cost of compliance, particularly in businesses that do not have a robust IT infrastructure that can be easily adapted to meet new compliance requirements as they emerge. Any company that has undiscovered 'smoking guns' in the communication archive risks being caught by regulators who, as they become more effective, will spot breaches the company doesn't know it's committing. Financial penalties and a drop in investor confidence will follow swiftly.

By using the principles of active policy management, banks can protect their customers, staff, investors and ultimately themselves – and keep up with ever-changing regulations.

The author is CEO of Orchestria.