Most organizations have clearly separated roles for the Chief Compliance Officer and Chief Technical Officer. And this has worked well up until recently, as most standards and regulations had mostly legal and procedural implications and technical input was rarely required. At the same time, the CTO has been responsible for the overall IT infrastructure with little compliance requirements coming from the compliance department.
Fully Understanding Both Legal and Technical Aspects
This is starting to become a problem, however, as more and more standards and regulations require deep technical understanding in both preparation and implementation. You can no longer rely on a completely non-technical compliance officer to be supported by a compliance-agnostic technical officer, as fully understanding all aspects – legal, process and technical – is crucial for the proper and efficient implementation. You can’t simply split the standard/regulation into “legal” and “technical” part, because they are so intertwined and interdependent. In the case of GDPR, for example, you literally need to have buttons in your products that mirror the legal wording.
And the more regulated industry is, the more this is becoming an obvious problem. Take PSD2 as another example. Its core principles are technical – open APIs, strong authentication, security. Can a compliance officer with a legal background understand what an open API is? Possibly if they are very knowledgeable and experienced. But for the majority, this has been out of the scope of their work. On the other hand, the “legal-speak” in the directive is hardly understandable for technical people. And even if you can sit together in a meeting and figure out the details, there will always be a gap in the understanding of both roles.
Information security is another example – most of the information security is compliance-driven, from the US to Europe – be it SOX, HIPAA, GDPR, PSD2, standards like ISO 27001 and PCI-DSS or guidelines of a regulatory body, like the EBA guidelines. Does compliance drive the infosec compliance, and if it’s legally required, how does the compliance department assess whether the measures taken are really “adequate and proportionate”? Ideally with compliance experts with deep technical understanding, but more often with checklists that are very far from satisfactory.
And this is a problem in three ways. First, the organization may actually be non-compliant, due to problems with internal communication between the CCO and CTO. Second, the organization may implement the regulation with more expenses than actually required. GDPR is one example of that, where millions have been thrown on consultants, whereas in many cases straightforward technical approaches might have worked just as well. AML processes that involve few if any technical components have made banks so slow opening accounts that in some cases you have to wait months. And third, it will not achieve the desired effect of the regulation – if you implement AML by adding a few procedures following the letter (but not the spirit) of the directive, you may be compliant and money will still be easily laundered.
How to Solve IT Compliance Problems
There are tools that can help solve many compliance problems – from audit trail (which is what we do), through KYC onboarding tools, AML analytics solutions, GDPR discovery tools, etc. But it is very hard to assess and select these tools that need an integrated understanding of IT compliance.
Solving these problems isn’t easy, but we have to think of defining a new role – the Chief IT Compliance Officer. Someone with deep technical and legal understanding (not necessarily with university legal training), experienced in reading and applying regulations in a technical context. Our regulation-to-features mappings (e.g. for PSD2 and HIPAA) are just a glimpse of how the new role will look at things – through technical implementations of legal requirements (that doesn’t exclude the process element, of course). The role will handle the oversight of all IT compliance aspects and will be leading the process of implementing IT compliance.
The Chief IT Compliance Officer will have a lot of work in the years to come, as more and more standards and regulations have at least partial technical aspects. And that’s expected – as everything in our organizations is run by technology, regulations logically follow. And the compliance department alone won’t be able to efficiently handle it. It will be challenging to position the role in the organization, budget-wise and staff-wise, but organizations will find the right balance eventually.
Unfortunately, it will be extremely hard to find Chief IT Compliance Officers initially, as this multidisciplinary work is something few people have done extensively. But we believe this role is inevitable in the nearest future, and its demand is arising.