Model-driven regulatory compliance: a case study of "know your customer" regulations
Pages 436 - 445
Abstract
Modern enterprises face an unprecedented regulatory regime. Industry governance, risk, and compliance (GRC) solutions are document-oriented and expert-driven. Formal compliance checking techniques in contrast attempt to provide ways for rigorous modeling and analysis of regulatory compliance but miss out on holistic GRC perspective due to missing integration between diverse set of (semi-) formal models. We show that streamlining regulatory compliance using multiple purposive models of various aspects of regulations, it is possible to leverage both the rigor of formal techniques and the holistic enterprise GRC perspective. Our contributions are twofold. First, we present a model-driven architecture based on a conceptual model of integrated GRC that is capable of addressing key challenges of regulatory compliance. Second, using Know Your Customer regulations in Indian context as a case study, we demonstrate the utility of this architecture. Initial results with KYC regulations are promising and point to further work in model-driven regulatory compliance.
References
[1]
S. Alberth, B. Babel, D. Becker, G. Kaltenbrunner, T. Poppensieker, S. Schneider, U. Stegemann, and T. Wegner, "Compliance and control 2.0: Unlocking potential through compliance and quality-control activities," McKinsey Working Papers on Risk, vol. 33, 2012.
[2]
KPMG, "A good offense is the best defense: Managing regulatory compliance with GRC- whitepaper," KPMG International, 2012.
[3]
Accelus, "Regulatory change management: the critical compliance competence," Thomson Reuters Accelus, Sep 2013.
[4]
D. Cau, "Governance, risk and compliance (GRC) software business needs and market trends," Deloitte, 2014.
[5]
J. A. W. French Caldwell, "Magic quadrant for enterprise governance, risk and compliance platforms," Gartner, 2013.
[6]
J. Becker, P. Delfmann, M. Eggert, and S. Schwittay, "Generalizability and applicability of modelbased business process compliance-checking approaches --- a state-of-the-art analysis and research roadmap," BuR --- Business Research, vol. 5, no. 2, pp. 221--247, 2012, publication status: Published.
[7]
S. Sunkle, D. Kholkar, and V. Kulkarni, "Toward better mapping between regulations and operational details of enterprises using vocabularies and semantic similarity," in Proceedings of the CAiSE 2015 Forum at the 27th International Conference on Advanced Information Systems Engineering (CAiSE 2015), Stockholm, Sweden, June 10th, 2015., ser. CEUR Workshop Proceedings, J. Grabis and K. Sandkuhl, Eds., vol. 1367. CEUR-WS.org, 2015, pp. 229--236. {Online}. Available: http://ceur-ws.org/Vol-1367/paper-30.pdf
[8]
P. Vicente and M. M. da Silva, "A conceptual model for integrated governance, risk and compliance," in 23rd International Conference, CAiSE. Proceedings, 2011, pp. 199--213.
[9]
G. Boella, M. Janssen, J. Hulstijn, L. Humphreys, and L. van der Torre, "Managing legal interpretation in regulatory compliance," in International Conference on Artificial Intelligence and Law, ICAIL '13, Rome, Italy, June 10--14, 2013, E. Francesconi and B. Verheij, Eds. ACM, 2013, pp. 23--32. {Online}. Available
[10]
S. Sunkle, D. Kholkar, and V. Kulkarni, "Solving semantic disparity and explanation problems in regulatory compliance- A research-in-progress report with design science research perspective," in Enterprise, Business-Process and Information Systems Modeling - 16th International Conference, BPMDS 2015, Held at CAiSE 2015, Stockholm, Sweden, June 8--9, 2015, Proceedings, ser. Lecture Notes in Business Information Processing, K. Gaaloul, R. Schmidt, S. Nurcan, S. Guerreiro, and Q. Ma, Eds., vol. 214. Springer, 2015, pp. 326--341. {Online}. Available
[11]
E. Ramezani, D. Fahland, and W. M. P. van der Aalst, "Where did I misbehave? diagnostic information in compliance checking," in Business Process Management - 10th International Conference, BPM 2012, Tallinn, Estonia, September 3--6, 2012. Proceedings, ser. Lecture Notes in Computer Science, A. P. Barros, A. Gal, and E. Kindler, Eds., vol. 7481. Springer, 2012, pp. 262--278. {Online}. Available
[12]
L. T. Ly, S. Rinderle-Ma, D. Knuplesch, and P. Dadam, "Monitoring business process compliance using compliance rule graphs," in OTM 2011, Proceedings, Part I, 2011, pp. 82--99.
[13]
A. Awad, S. Smirnov, and M. Weske, "Resolution of compliance violation in business process models: A planning-based approach," in OTM, Proceedings, Part I, 2009, pp. 6--23.
[14]
S. Sunkle, D. Kholkar, and V. Kulkarni, "Explanation of proofs of regulatory (non-)compliance using semantic vocabularies," in Rule Technologies: Foundations, Tools, and Applications - 9th International Symposium, RuleML 2015, Berlin, Germany, August 2--5, 2015, Proceedings, ser. Lecture Notes in Computer Science, N. Bassiliades, G. Gottlob, F. Sadri, A. Paschke, and D. Roman, Eds., vol. 9202. Springer, 2015, pp. 388--403. {Online}. Available
[15]
FRC, "What constitutes an explanation under 'comply or explain'? Report of discussions between companies and investors," Feb 2012.
[16]
S. English and S. Hammond, "Cost of compliance 2014," Thomson Reuters Accelus, 2014.
[17]
OneSumX, "GRC for regulatory change management (Wolters Kluwer Financial Services)," Wolters Kluwer Financial Services, 2014.
[18]
S. W. Sadiq, G. Governatori, and K. Namiri, "Modeling control objectives for business process compliance," in 5th International Conference, BPM, Proceedings, 2007, pp. 149--164.
[19]
M. El Kharbili, S. Stein, I. Markovic, and E. Pulvermüller, "Towards a framework for semantic business process compliance management," in The Impact of Governance, Risk, and Compliance on Information Systems (GRCIS), ser. CEUR Workshop Proceedings, vol. 339, Montpellier, France, June 17 2008, pp. 1--15.
[20]
G. Governatori, A. Rotolo, F. Olivieri, and S. Scannapieco, "Legal contractions: a logical analysis," in International Conference on Artificial Intelligence and Law, ICAIL '13, Rome, Italy, June 10--14, 2013, E. Francesconi and B. Verheij, Eds. ACM, 2013, pp. 63--72. {Online}. Available
[21]
M. Weidlich, M. Weske, and J. Mendling, "Change propagation in process models using behavioural profiles," in 2009 IEEE (SCC), 2009, pp. 33--40.
[22]
B. Weber, S. Zeitelhofer, J. Pinggera, V. Torres, and M. Reichert, "How advanced change patterns impact the process of process modeling," in Enterprise, Business-Process and Information Systems Modeling - 15th International Conference, Proceedings, 2014, pp. 17--32.
[23]
D. Neiger, L. Churilov, M. zur Muehlen, and M. Rosemann, "Integrating risks in business process models with value focused process engineering," in Proceedings of the Fourteenth European Conference on Information Systems, ECIS, 2006, pp. 1606--1615.
[24]
T. Schäfer, P. Fettke, and P. Loos, "Towards an integration of GRC and BPM - requirements changes for compliance management caused by externally induced complexity drivers," in Business Process Management Workshops - BPM 2011), 2011, pp. 344--355.
[25]
N. Racz, E. R. Weippl, and A. Seufert, "A frame of reference for research of integrated governance, risk and compliance (GRC)," in Communications and Multimedia Security, Proceedings, 2010, pp. 106--117.
[26]
T. D. Breaux, M. W. Vail, and A. I. Anton, "Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations," in 14th (RE Conference 2006), 11--15 September 2006, Minneapolis/St.Paul, Minnesota, USA, 2006, pp. 46--55.
[27]
OMG, "Semantics of business vocabulary and business rules (SBVR), v1.0," November 2013. {Online}. Available: http://www.omg.org/spec/SBVR/1.0/PDF
[28]
D. Kholkar, P. Yelure, H. Tiwari, A. Deshpande, and A. Shetye, "Experience with industrial adoption of business process models for user acceptance testing," in ECMFA, ser. Lecture Notes in Computer Science, P. V. Gorp, T. Ritter, and L. M. Rose, Eds., vol. 7949. Springer, 2013, pp. 192--206. {Online}. Available
[29]
G. Antoniou, A. Bikakis, N. Dimaresis, M. Genetzakis, G. Georgalis, G. Governatori, E. Karouzaki, N. Kazepis, D. Kosmadakis, M. Kritsotakis, G. Lilis, A. Papadogiannakis, P. Pediaditis, C. Terzakis, R. Theodosaki, and D. Zeginis, "Proof explanation for a nonmonotonic semantic web rules language," Data & Knowledge Engineering, vol. 64, no. 3, pp. 662 -- 687, 2008.
[30]
I. Bratko, PROLOG Programming for Artificial Intelligence, 2nd ed. Boston, MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1990.
[31]
H. Espinoza, A. Ruiz, M. Sabetzadeh, and P. Panaroni, "Challenges for an open and evolutionary approach to safety assurance and certification of safety-critical systems," in 2011 First International Workshop on Software Certification, WoSoCER 2011, Hiroshima, Japan, November 29 - December 2, 2011, R. Pietrantuono and N. Silva, Eds. IEEE Computer Society, 2011, pp. 1--6. {Online}. Available
[32]
I. Jureta and S. Faulkner, "An agent-oriented meta-model for enterprise modelling," in Perspectives in Conceptual Modeling, ser. Lecture Notes in Computer Science, J. Akoka, S. Liddle, I.-Y. Song, M. Bertolotto, I. Comyn-Wattiau, W.-J. Heuvel, M. Kolp, J. Trujillo, C. Kop, and H. Mayr, Eds. Springer Berlin Heidelberg, 2005, vol. 3770, pp. 151--161. {Online}. Available
[33]
E. Mulo, U. Zdun, and S. Dustdar, "Domain-specific language for event-based compliance monitoring in process-driven soas," Service Oriented Computing and Applications, vol. 7, no. 1, pp. 59--73, 2013. {Online}. Available
[34]
S. Goedertier, C. Mues, and J. Vanthienen, "Specifying process-aware access control rules in SBVR," in Advances in Rule Interchange and Applications, International Symposium, RuleML 2007, Orlando, Florida, October 25--26, 2007, Proceedings, ser. Lecture Notes in Computer Science, A. Paschke and Y. Biletskiy, Eds., vol. 4824. Springer, 2007, pp. 39--52. {Online}. Available
[35]
A. Kamada, G. Governatori, and S. Sadiq, "Transformation of sbvr compliant business rules to executable fcl rules," in RuleML 2010: 4th International Web Rule Symposium, no. 6403. Springer, 2010, pp. 153--161.
[36]
E. Abi-Lahoud, T. Butler, D. Chapin, and J. Hall, "Interpreting regulations with SBVR," in Joint Proceedings of the 7th International Rule Challenge, the Special Track on Human Language Technology and the 3rd RuleML Doctoral Consortium, Seattle, USA, July 11--13, 2013, ser. CEUR Workshop Proceedings, P. Fodor, D. Roman, D. Anicic, A. Wyner, M. Palmirani, D. Sottara, and F. Lévy, Eds., vol. 1004. CEUR-WS.org, 2013. {Online}. Available: http://ceur-ws.org/Vol-1004/paper6.pdf
[37]
G. Governatori, J. Hoffmann, S. Sadiq, and I. Weber, "Detecting regulatory compliance for business process models through semantic annotations," in Business Process Management Workshops, ser. Lecture Notes in Business Information Processing, D. Ardagna, M. Mecella, and J. Yang, Eds. Springer Berlin Heidelberg, 2009, vol. 17, pp. 5--17. {Online}. Available
[38]
E. Francesconi and B. Verheij, Eds., International Conference on Artificial Intelligence and Law, ICAIL '13, Rome, Italy, June 10--14, 2013. ACM, 2013. {Online}. Available: http://dl.acm.org/citation.cfm?id=2514601
Recommendations
Regulatory compliance of business processes
Organizations, be it public or private, have to ensure that their operations are complying with various governmental regulations, otherwise they may suffer from law suits and financial losses, or they may even not be allowed to operate (e.g., in case of ...
Comments
Information & Contributors
Information
Published In
Sponsors
In-Cooperation
- IEEE CS
Publisher
IEEE Press
Publication History
Published: 30 September 2015
Check for updates
Qualifiers
- Research-article
Conference
MODELS '15
Sponsor:
MODELS '15: ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems
September 30 - October 2, 2015
Ontario, Ottawa, Canada
Acceptance Rates
Overall Acceptance Rate 144 of 506 submissions, 28%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 51Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in