No Room for Complacency when it Comes to Compliance

DNL Trust Bank has been driving a successful Robotic Process Automation (RPA) program with their Automation Centre of Excellence (CoE) at the helm. After one of their quarterly reviews, CFO Timothy Davis was pleasantly surprised looking at the excellent numbers around efficiency gain, savings, and time to value generated through the RPA program. She recalled the days when the bank started its RPA journey. Their CTO Mark Higgins did his due diligence to get it right the first time. From setting up the Automation CoE to scientifically prioritizing the suitable candidates for automation¹, he took the right steps and was now reaping the benefits of a well-planned automation journey.

Besides the superlative metrics, what intrigued Timothy more was the adherence to compliance. She had been worried in the initial days. How would the journey take shape when bots carry out the processes instead of humans? How would the existing, stringent controls and processes manifest once the bots take over?

Mark had jokingly quoted science fiction author Isaac Asimov’s First Law of Robotics to Timothy, “A robot may not injure a human being or, through inaction, allow a human being to come to harm! Then why do you worry, Timothy?”

But adherence to compliance and statutory guidelines is no joke, especially when it comes to financial institutions. Mark understood this, and hence as a part of his due diligence, early emphasis was on identifying the products’ capabilities to adhere to such requirements.

Let us dive a little deeper to understand what these controls are and how a good RPA product complements them.

Identity and access management

Segregation of Duties is a primary requirement considering some of the stringent controls like the Sarbanes-Oxley (SoX) Act. Segregation of Duties is trivialized when an organization’s workforce has bots working alongside humans. With the introduction of concepts like Automation Singularity2, segregation of duties within the system becomes very important. Activities performed by bots and humans need to be clearly defined, tracked, and recorded for audit purposes. RPA platforms like AssistEdge track the end-to-end workflow for each transaction in a consolidated manner.

Detailed role-based access controls (RBAC) in the automation platform ensure controls for privileged accounts within the RPA platform. An in-built secure credential vault stores passwords in an encrypted format. The ability to integrate with external credential vaults like CyberArk allows the flexibility to select the desired vault for securing the passwords. As a governance best practice, bot credentials’ exposure must be to a limited user group.

Regulatory requirements

As per IPE requirements (Information Produced by an Entity) under SoX compliance, the organization must appoint a custodian for all standard out-of-box reports and custom reports to define the data across these reports and consolidate and share these with the auditors. RBAC capabilities of the automation platform allow you to designate the custodian(s) and assign relevant accesses.

In addition to this, it is important to allow the business users to decide what information should be captured in logs as per the guidelines and requirements. AssistEdge’s capability to customize what gets logged along with different levels of logging comes in handy at this point. It also gives the automation designer control to achieve data lineage and traceability easily.

Incident management

It is paramount to capture actions taken by the bot and actions performed to the bot. Any intentional or unintentional change made to the automation process configuration, schedule, or triggers has a domino effect. It affects SLA adherence, introduces processing errors, and eventually results in massive financial losses for the enterprise. AssistEdge provides consolidated logs of both actions by and actions to the bots within the platform.

It captures applications’ log in by the bot and step-by-step records of each transaction. Also, audit logs capture the edited data points and modified documents. The platform allows the download of end-to-end logs for each process and its associated transactions. Those charged with internal compliance (e.g., internal audit function, IT compliance) are sensitized about these factors. Protocols are put in place to maintain an updated listing of bots and establish a standard operating procedure for all updates to processes/ controls. The change management ensures that required guidelines reflect in bot design, where necessary. AssistEdge also allows the configuration of restricted access modes for Virtual Machines in bot farms. This feature counters unauthorized access and misuse of bot credentials in target applications.

Conclusion

These capabilities might appear rudimentary when looked at in isolation. But the absence of these in your enterprise’s automation program could be damaging. An organization needs to ask what’s at stake when they fail to meet even one of these compliance guidelines. Many RPA vendors, who do not have an enterprise mindset, tend to overlook these capabilities. It is the onus of the Automation CoE to stringently evaluate the automation tool selecting it for their enterprise. Along with scalability and reliability, security and compliance are the foremost pillars on which an enterprise can build a formidable automation program.

References:

Disclaimer: All characters and events depicted in this blog are indicative. Any similarity to actual events or persons, living or dead, is purely coincidental.