Tag Archives: compliance

Balancing Digital With Compliance

When the pandemic struck early last year, insurers had a wake-up call when it came to digital transformation. A report by Accenture revealed that the lack of digital, agile systems was evident in the industry’s response to COVID-19 when “insurers struggled to pivot to remote work and to continue meeting demands for sales and service.” However, things have changed for the better. A 2020 PwC report shows that core technology transformation (51%) and cloud technology (28%) are key priorities for insurers.

At the same time as these digital changes are happening, the industry is seeing more regulations pop up. Depending on their specialty, insurers already had to adhere to healthcare, financial and consumer privacy regulations. More recently, Maine and North Dakota adopted the National Association of Insurance Commissioners (NAIC) data security model law, which seeks to establish data security standards for regulators and insurers to mitigate the potential damage of a data breach. They join at least seven other states that have already adopted similar laws.

With the shift toward cloud infrastructure and applications well underway, minimizing risk and protecting data integrity and privacy become all the more important. Those in the insurance field need to balance new digital transformation efforts with increasing compliance requirements. Data ownership can help with both – here’s how.

Keep Compliance Top of Mind

When important data starts to move from legacy systems into mission-critical cloud or SaaS (software as a service) apps, like Salesforce, it can complicate regulatory compliance. While many insurers may believe they own the data within these apps, they don’t have the control over it that ownership would typically convey. And yet, they can still be held liable should something happen to a client’s data within the SaaS app.

Additionally, because insurers may also need to access SaaS data for analytic purposes, they’re likely to download, make their own copies and store it in their own folders and systems, creating data sprawl. Not only does this increase potential access points and vulnerabilities within an organization, but it can also cause other problems for insurers. From inaccuracies caused by data being changed in one version of copied data and not others, to the more straightforward issue of not knowing everywhere data is stored – and who is accessing it – data sprawl can be dangerous, especially where regulations are concerned.

See also: The Rules of Digital Transformation

To better ensure compliance and avoid these pitfalls, insurers should back up and own their data. Where data is stored is critical to how accessible, secure and auditable it is – which is why organizations should store data in the cloud infrastructure they’re already using, such as AWS or Azure, instead of keeping it in SaaS vendors’ — or backup vendors’ — environment.

Storing historical data in this fashion can help insurance companies in several ways. First, it decreases the surface area of exposure. The more copies of data floating around an organization — whether the insurer’s or the backup vendor’s — the more potential touchpoints, meaning there’s greater opportunity for unauthorized access, and it becomes harder to trace any changes. These issues can put an organization at risk for breaches, intentional and inadvertent data corruption and penalties when auditors come knocking. However, when data is in your organization’s own cloud data lake and can be streamed into business intelligence or analytics tools from a single source of truth, it reduces the number of copies needed, helping to ensure data integrity and maintain compliance.

Likewise, storing data in an insurer’s own cloud means the organization can set controls over who touches it and where it goes in the organization. This makes it easier to maintain a digital chain of custody – and trace when, where and who made changes. Many new regulations require audit trails that capture this information, something that gets increasingly difficult when data is stored and retained over time in third-party applications.

Data ownership as a key to growth

Data ownership not only helps insurers decrease risk and liability, it can also propel organizational growth.

Many insurers have already been tapping into historical data for predictive analytics, when it comes to policy writing, for example. By incorporating this new pool of SaaS backup data – which captures every change made – those models can become more accurate. Insurers get access to even more information that can lead to better insights and be used to improve everything from underwriting, pricing and risk assessment to recommendations about insurance plans and strategic marketing decisions – all of which affect an insurer’s bottom line.

As insurers begin to cross the digital divide, they need to be aware of compliance necessities that accompany digital change. With a sound data strategy, insurers can reap the benefits of creating a digitally driven enterprise while adhering to regulations and setting themselves up for continued success.

Vaping, Compliance and Rewarding Safety

A phrase about fire should read more like an expression about fiery rhetoric, because where there’s smoke inhalation, there’s a cloud of confusion. The smoke comes from vapors of misinformation about an industry in which the good deserve recognition and the compliant warrant respect, in which those who comply with the law uphold the letter of the law, in which those on the right side of the law are true to the spirit of the law. The insurance industry should separate the good, whose ranks include manufacturers of approved vaping products and devices, from the bad. 

Approved products are not an endorsement of vaping, or approval from the government for people to vape for no reason. Rather, approval corresponds to federal standards of safety and disclosure. 

In honoring these standards, consumers have the knowledge to make informed decisions: to choose the right vaping devices for the right reasons. In turn, insurers should distinguish between those who vape in accord with the rules—on account of the rules—versus those who put themselves at risk of injury or hospitalization.

According to Mike Khalil, founder and CEO of JJ Compliance Consulting Group (J&JCC Group):

“Compliance is a necessity for the tobacco and vape industry. And yet those who ignore this fact, or believe they can change the facts, face an unpleasant reality via fines or lawsuits, both. The cost of noncompliance is a cost insurers will not absorb and consumers will not accept. Also, those who do not obey the law forfeit their moral right to object to the enforcement of the law—period.”

Notice the point about the morality of compliance, as this point alone speaks to what insurers should do. The point is to encourage good behavior, not punish it; charging consumers who vape with specific devices, specifically approved devices, less than those who vape with a sense of careless disregard.

If insurers care about this issue, if they care about compliance in general and improving the safety of vaping in particular, they should insist on the wholesale adoption of existing rules by the vaping industry. The effect would cause other industries to follow suit, lowering costs not only for insurers but for everyone.

See also: Pressure to Innovate Shifts Priorities

Compliance is a testament to matters of legal and moral importance. That is to say, compliance is not a DIY (do it yourself) project; it is instead proof of a company’s commitment to what the government demands, regulators require, courts expect, and consumers want.

Compliance is a goal insurers should promote, since the alternative is too dangerous to deny and too wrong to dismiss. 

That this goal is attainable, that it is affordable too, underscores the fact that it is the right thing to do. 

Prioritizing this goal is how insurers can increase safety without raising costs, or losing money. Prioritizing this goal is how the insurance industry can strengthen its reputation, and develop a reputation for oversight, care, and compliance.

With consultation from experts, compliance can be the standard all industries embody.

How to Evaluate AI Solutions

After almost a decade working in a large, global bank, I can speak to the challenges faced by all three lines of defense in trying to combat financial crime. I can also attest to the effect these processes had on our clients. As a front-line corporate relationship manager, I frequently had to navigate the know your customer (KYC), remediation and payment screening process for my clients. 

Not only was this an incredibly time-consuming and frustrating process on an organizational level, but more painful was the deleterious effect it had on our clients and their business: Crucial payments to vendors were delayed unnecessarily; accounts took months to open and required incessant back and forth among multiple parties; and account fundings/transactions always came down to the wire because of basic due diligence, regardless how much work you tried to do ahead of time.

Much of the process that required our intervention seemed mundane, repetitive and inefficient, which compounded everyone’s frustration. 

Sound familiar?

These types of repetitive, mundane tasks are ideally suited to be outsourced to artificial intelligence, which the industry seems to now realize. 

Artificial intelligence can be an incredibly valuable tool, in that it can offload mundane tasks, provide insight into customer and employee behavior, create more standardization and help reduce or manage costs.

But as technology becomes increasingly sophisticated, there are many factors to weigh in the decision-making process. 

After countless conversations with stakeholders and decision makers in the industry, I have learned that there are five main concerns when implementing regulatory technology, especially AI technology, in the financial sector: 

  1. How transparent is the AI? 
  2. What if the AI learns the wrong behaviors, such as bias?  
  3. Does it have more than one purpose? What is the road map?
  4. Is it better than what I have now? More accurate, faster, more standardized, more cost effective? Can “better” be tested quantifiably?
  5. What are the redundancies? How will this technology affect my operational resiliency?

Let’s look at each point in order.

1. How transparent is the AI? 

While this seems like a straightforward question, “transparent” really encompasses three separate factors:  

  • Will my team and our stakeholders be able to understand how it works? 
  • Will I be able to easily demonstrate to audit, the board and regulators that it’s doing what it’s supposed to do?
  • Can I get a snapshot of what is happening at any given moment? 

See also: Stop Being Scared of Artificial Intelligence

All of the major regulators have stipulated that artificial intelligence solutions be explainable and demonstrable. Both of these concepts are rather self-explanatory but still worth exploring.


It’s not sufficient for your compliance team to understand how the AI makes decisions. They also need to be comfortable explaining the process to key stakeholders, whether they are board members, the internal model committee, audit or the regulators. 

If your technical team can’t understand the technology or how decisions are made, or if the vendor claims confidentiality to protect its IP, this is a cause for concern.


Like transparency, demonstrability captures a few components – it means you have to be able to demonstrate:

  • What decisions the AI has made; 
  • What changes you’ve made to how the AI makes decisions; and
  • Who made the changes.

This is where an audit trail comes into play. First of all, is there one? If so, is it immutable, and does it capture all actions in the AI or just some of them? Is it exportable in report format, and, if so, is the report readable and can it be easily understood?

Compliance is a data-driven world, and the risk associated with being deemed non-compliant is substantial. Being able to capture and export changes to, and decisions made within, your AI is crucial to your relationships with your stakeholders.

As personal liability expands in the corporate world, board members and committees increasingly require an understanding of not only how compliance risk is being mitigated, but also clear evidence that it’s being done, how and by whom.

2. What if the AI learns the wrong behaviors, such as bias?

The underlying questions here, without detracting from the very serious concern about embedding existing unconscious bias into your AI, are:

  • If the AI is wrong, or my requirements change, can I fix it? How easily? 
  • What impact will tweaking the AI have on everything it’s already learned?

An industry journalist recently asked me if I thought bias was a problem with AI. My answer to her, and to all of you, is that AI simply learns what’s already happening within your organization. As a result, unconscious bias is one of the things that AI can learn, but it doesn’t have to be a problem. 

While you can’t really prevent AI from learning from past decisions (that’s kind of the point), good technology should enable you to identify when it’s learned something wrong, and to tweak it easily to prevent bad decision-making from becoming embedded into your AI’s decision making.

This ties in to the need for transparency and reporting. It’s not only necessary to see how decisions are made, you also need to be able to prevent poor decisions or bias from being part of the AI’s education. And all of these things need to be documented. 

When testing new vendors, once the AI engine has been trained initially for your proof of concept, you should be able to clearly understand the findings and be able to make changes at that time (and thereafter). You will very likely be surprised by some of the ways decisions are currently being made within your organization. 

For example, at Silent Eight, our technology investigates and solves name and transaction alerts for banks. This work is typically done by teams of analysts, who investigate these alerts, and close them as either a true positive (there is risk here) or false positive (there is no risk). True positive alerts require substantially more time to investigate and close than alerts deemed to be false positives. 

Analysts typically have KPIs around the number of alerts they’re expected to investigate and close each week. 

By late Friday, the analysts are doing everything they can to make sure they meet this quota. As a result, it’s not unusual during the AI training process that the AI learns that 4pm on Fridays is a great reason to close out pending alerts as false positives. 

Obviously this is a good example of AI learning the wrong behavior and needing to be tweaked. It’s also a good example of mistaking correlation for causation, which is a topic worthy of its own examination on another day.

Today, as regulations are introduced and amended, you’re continually updating your policies to reflect these changes. It’s no different with artificial intelligence. It’s imperative that your AI engine is correspondingly easy to tweak, and that, when you tweak it, you don’t lose everything it has already learned. 

Thoughtful, well-designed technology should be built in a manner that makes it easy to update or amend part of the AI engine, without affecting the rest of the learnings. This is something you should both ask about, and test.

3. Does the AI have more than one purpose? What is the road map?

Many financial institutions have the dueling mandates to be both innovative and transform digitally, but also to rationalize vendors. So, when considering artificial intelligence solutions, which are often niche, it’s worthwhile finding out:

  • How the vendors decide to build out features;
  • Whether they are willing to customize their offering for you;
  • How reliably they’ve delivered on features in the past; and
  • Whether what’s on their road map adds value for you.

This way you can ensure that the decision you’re making is one that is future-proofed and set up for longevity.

See also: 3 Steps to Demystify Artificial Intelligence

4. Is it better than what you have now? 

Better can mean different things to different organizations and individuals. It’s typically tied into the problems you’re experiencing now, and what your organization’s strategic focus and priorities are.  When I ask clients and prospects what they mean by ‘better’ the answers I hear most commonly are:

  • Is it more accurate?
  • Is it faster?
  • Will it give me greater standardization?
  • Will it enable me to identify more risk?
  • Will it enable me to federate by jurisdiction?
  • Will it lead to greater efficiencies?
  • Is it more cost-effective?
  • Does it increase my visibility? I.e., is it transparent?

Once you’ve defined what “better” means to you and your organization, you need to find out from your prospective vendors if and how “better” can be tested quantifiably. 

5. What are the third-party dependencies? How will this technology affect my operational resiliency?

Operational resiliency and third-party due diligence have become a significant focus in the industry and can be a barrier to doing business.  Many regulators, including the EBA and the FCA, have issued guidelines on the topic, and continue to revisit it.

It’s vital to understand if a vendor is reliant on any other vendors in its tech stack, if it’s using open source code, what the deployment is (on premise, in the cloud, in a private cloud) and what security standards the vendor adheres to.

Take back the things you can control 

Right now, the financial services industry is beset by many challenges that are outside of its control, including low interest rates, working remotely, bad debt provisions and the increased new accounts and suspicious activity resulting from COVID. 

Your compliance costs and processes are a piece of the puzzle you can control. Good artificial intelligence technology will enable you to offload some of your mundane, repetitive tasks, freeing you and your team to focus on more complex risks and higher value projects. 

I recognize that artificial intelligence can be a bit daunting, and that it has a mixed reputation in the industry. However, if you’re armed with a dose of skepticism, have the right questions to ask and approach it with an open mind, you’ll be amazed by what it can do.

Navigating Confusing Insurance Regulations

The COVID-19 pandemic has caused turmoil for insurance. To aid consumers as unemployment and uncertainty spiked, state regulators around the country issued emergency protection measures to extend grace periods for premium nonpayments, prohibit policy cancellations during states of emergency, extend premium repayment timelines and offer leniency to insured individuals hit by COVID-19, among other changes.

These emergency insurance industry regulations are complex — plus, protections vary widely by state and must be implemented rapidly. It’s no wonder insurers are having a tough time navigating insurance laws and regulations during the pandemic.

In late March, for instance, New York Gov. Andrew Cuomo passed Executive Order 202.13 to assist insurance policyholders experiencing coronavirus-related financial difficulties. The order stipulated that life, commercial property, home, auto, liability and other insurers extend grace periods for premium payment and repayment to affected individuals in the state. The order also temporarily prohibited some insurers from canceling, refusing renewal or offering conditional renewal on insurance.

These amendments to New York’s rules and regulations were more complicated than they seemed on the surface, which meant they raised legal issues in insurance businesses. For one, the accommodations only applied to individuals who faced economic hardship due to the pandemic. Individuals were required to provide insurers with written testimony — which added a considerable burden to insurers that had to collect, review and track this data. Some of those rules cast a long shadow. For instance, affected policyholders who were unable to pay their premiums have the option to repay what they owe in 12 monthly installments, which began in June 2020.

The emergency insurance industry regulation that was passed in New York is just one example of such orders. In every state, these changing insurance laws and regulations placed — and continue to place — a considerable burden on insurers.

The Department of Financial Services (DFS) has taken steps to lighten the load and help companies navigate the changes. While the uncertainty surrounding the pandemic persists, the DFS has loosened rules around notice obligations to allow insurers to email notices to policyholders, regardless of policyholder consent to email communication.

This provision, along with the DFS’s requirement that insurers post relevant information on their websites and maintain all records of communications with policyholders, was designed to communicate information to consumers rapidly and ensure records are complete and updated throughout the pandemic. In addition, the DFS provides sample correspondence for insurers to communicate COVID-related measures to policyholders.

See also: A Quarantine Dispatch on the Insurtech Trio

How to Be Compliant Amid Changing Rules and Regulations

Emergency insurance laws and regulations to protect consumers during the pandemic are necessary, but they make it difficult for insurers to reach strategic decisions and plan for what’s ahead. The future is cloudier than ever — no one knows how long emergency measures will remain in place or what the regulatory landscape or compliance requirements will look like in the near future.

Put another way, insurers are grappling with a plethora of hard questions. How will the new normal affect product features? How will risk assessment and financial underwriting be affected? What will be the long-term effect of wage loss for affinity customers in certain industries? How do insurers operationalize an increasingly complicated set of rules across multiple product lines, segments and regions? What happens if there is another surge of COVID-19 cases? The answers to these and other questions are neither clear nor simple.

Insurers face considerable questions when it comes to temporary insurance laws and regulations. Adaptation is a matter of survival. Here are a few steps insurance companies can take to handle the rapid changes and remain compliant:

  • Dedicate a team focused on staying abreast of coronavirus-related regulatory changes, educating others in the company about these changes and building a strategy for compliance.
  • Make business resiliency plans that take into account likely scenarios, including the emergency measures lasting in varying amounts of time.
  • Repurpose staff members based on shifting organizational needs.
  • Leverage external partnerships and partnerships between carriers and agencies/brokers — how can you support one another during this time?
  • Appoint subject matter experts in account management, TPA management, underwriting and actuarial to handle related elements of the emergency regulations.

For many insurers, siloed legacy systems represent the biggest hurdle to meeting new insurance industry regulations while managing the resulting deluge of data. Switching to an integrated, comprehensive governance system that can better manage these changes and keep up with privacy and data management needs will not only help insurers weather the pandemic but will also help them make more informed, data-driven decisions for the future.

See also: How to Lead in the COVID-19 Crisis

COVID-19 has caused and will continue to cause headaches for insurers scrambling to keep up with new rules and regulations. But the pandemic also offers an opportunity to improve business systems and compliance practices. By making smart decisions now, insurers will be prepared for other changes that come.

How to Avoid Snarl of N. Korea Sanctions

The timing was excellent – or unfortunate – depending on your perspective. Just a week before South Korean President, Moon Jae-in, jets to Washington to talk DPRK denuclearization, it was reported that a South Korean oil tanker had been detained.

The P PIONEER – the first local vessel seized by South Korean authorities — is among four detained by Seoul. All are suspected of violating United Nations sanctions on fuel shipments to North Korea.

Just last month, the UN Security Council (which uses Windward technology) published its latest report on North Korea. It laid out in graphic detail Pyongyang’s evolving tactics in evading sanctions, and the maritime compliance risk faced by anyone connected – however unwittingly – to vessels engaged in this kind of activity.


According to reports, the P PIONEER was detained last October on suspicion of shipping oil to North Korea via clandestine ship-to-ship transfers and is “an indicator of the increasing pressure the U.S. is exerting on foreign governments and businesses to crack down on North Korean sanctions evasion,” according to Tahlia Townsend and Joseph Grasso, who head the International Trade Compliance and Insurance Practice Group at U.S. law firm Wiggin and Dana.

A Windward analysis of the vessel’s behavior in the 12 months leading up to its detention reveals a pattern of dark activities in several parts of the East China Sea. In total, we detected 13 separate occasions when this happened – the kind of deceptive shipping practices routinely employed by North Korea, as highlighted by an updated advisory published last month by the U.S. Treasury’s Office of Foreign Assets Control. During our analysis, another notable pattern of behavior emerged: In the 12 months before it was detained, the P PIONEER only visited ports in South Korea. In other words, every voyage the vessel undertook began and ended in South Korea.

Map showing polygons (areas) linked to possible clandestine oil transhipments to North Korea. Source: OFAC, UN.

See also: Can Insurers Stop Financial Crimes? Yes  

Searching in the dark

Detecting such behavior just by searching for “dark activity” won’t get you very far. Indeed, if you use this behavior as a proxy for illicit activity in the East China Sea, you’ll end up with a short list of 20,000 vessels during the past 12 months (the East China Sea is notorious for poor AIS coverage, meaning many vessels that “go dark” don’t do so deliberately). Of these, 1,200 were tankers – a number way too big to differentiate between innocent vessels just passing through and those potentially engaged in illicit oil trading with North Korea. If identifying dark activity was all we could do, compliance officers, charged with ensuring vessels they deal with are complying with sanctions, would probably jump overboard.

Map showing clusters of Dark Activities by vessels in the East China Sea over the past year

Where we can narrow things down for maritime compliance risk is by looking at how frequently vessels went dark – where it was an integral part of a vessel’s modus operandus. As the chart below shows, most tankers had no more than one dark activity in the area; only 3.5% of them did it more than five times. We can look more closely at repeat offenders, to find those that might be evading sanctions (our algorithms can detect which turn-off-transmissions are due to lack of reception and which due to skulduggery).

Distribution of vessel dark activity, highlighting two additional vessels that were mentioned in the recent OFAC advisory regarding DPRK as possibly being involved in illegal transports of petroleum products.

Behavioral Analysis

Another way to whittle down the list of potential miscreants is to look at trade patterns. As discussed above, most vessels passing through this area were heading to ports in the region. The P PIONEER’s voyages always started and finished in South Korea (with a dark activity in between), a pattern we see in just 81 other vessels over the past 12 months.

If we narrow our time window to the past 60 days, we find only 17 vessels were engaged in this pattern of behavior – a much more manageable data set. Within those 17, we find one, very interesting, vessel, called the P CHANCE.

Like the P PIONEER, it’s a tanker; it’s flagged in South Korea; it had 21 dark activities in the region in the past year – including one last month. Oh, and it belongs to the same registered owner (see below).

Looking at the P CHANCE’s economic utilization profile, one can spot the same risk indicators but from a different perspective. With more than 15 dark activities in the East China Sea in 2018, the vessel spent only 31 days in port (compared with 80 days for similar tankers).

See also: Europe’s New Data Breach Requirements  

To be sure, this analysis isn’t a smoking gun – it just means that out of the thousands of vessels transiting the East China Sea every month, this vessel stands out, indicating that further investigation may be warranted.

Maritime Compliance Risk

The deceptive shipping practices discussed in this article were once only relevant to intelligence agencies and NGOs that monitored and enforced sanctions. But as we’ve seen in the recent OFAC advisory, and the UN Panel of Experts report, sanctions enforcement is no longer something only bad actors need worry about; counterparty due diligence (CDD) teams in every industry that interacts with shipping now need to up its game considerably. Indeed, when list managers or compliance officers consume data feeds and black lists, the recent OFAC advisory might now require them to prepare and consume a global daily review of dynamic sanctions evasions tactics, to mitigate compliance risk. With the right technology, they can do so – while keeping their businesses running as usual.