Part I: Introduction and Overview
Algorithms and AI have become indispensable in the corporate world. Digital compliance is also becoming increasingly important. We understand this term to mean software-based compliance tools that support or potentially take over the "analogue" compliance work. In a multi-part series of articles, we highlight the advantages, risks and legal guard rails in the use of these compliance programs. In the first part, we offer you an introduction and overview of the exciting topic of "digital compliance". In the following articles, we will take a closer look at important individual aspects such as data protection and labor law issues.
"Analogue" compliance reaches its limits
The flood of regulatory requirements for companies is increasing, and the web of regulations is becoming more and more confusing. In addition, more and more business processes are being automated. Algorithms process transactions all over the world in a matter of seconds, without a human being having to or being able to intervene in advance to check or control. Programs analyse current market events in the shortest possible time, give recommendations for action or automatically adapt internal company processes to market developments.
As part of their compliance obligations, companies must therefore not only cope with the increasing regulatory frenzy of legislators. They must also be able to check the compliance of automated business processes. It is therefore obvious, or will become inevitable in the near future, to use computer-based compliance tools to check automated processes.
Digital compliance tools on the rise
A start-up industry has established itself that develops and offers digital compliance solutions, so-called "RegTechs" (Regulatory Technologies). The focus is on program applications for the fulfilment and documentation of regulatory and supervisory duties. The fields of application are broadly diversified:
- from compliance management, such as automated evaluations of regulatory requirements, gap analyses, via
- risk management, for example as automated warnings and countermeasures based on data analysis, to
- customer verification and fraud detection, e.g. in the form of automated money laundering checks and transaction monitoring.
Such digital compliance solutions are based on two basic principles: preventive and reactive verification of internal company processes. In the case of preventive checks, certain internal company actions are only released after a prior compliance check. A typical example of preventive control is the so-called sanctions screening. Here, the data of potential new, as well as existing business partners is compared with sanctions lists using special software. In the event of a relevant "real" hit, no approval is given for the business to be conducted with the person or company in question, and existing business relationships must be terminated.
Reactive screening examines whether behavior on the part of one's own employees or business partners is in line with (legal) regulations. An example of reactive digital compliance is the so-called cartel screening. With the help of screening programs, data and correspondences are examined for cartel conspicuities. If, for example, the product price is found to have increased despite falling demand, this can be an indication of illegal price fixing with competitors. The German railway company Deutsche Bahn recently introduced a digital screening tool that checks the procurement data of more than 2,000 tenders annually for signs of collusion.
Benefits of digital compliance tools
Digital compliance tools offer several advantages over "analogue" compliance. Especially with regard to the increasing regulatory requirements, AI-based compliance programs regularly lead to cost reductions. Both time and human capital can be saved when an intelligent "filter" is implemented. Software can also analyze a much larger amount of data in a much shorter time. Compliance tools can therefore also and especially be attractive for small and medium-sized companies that do not have as thick a staffing layer as large corporations.
Furthermore, the automated processing of large amounts of data and processes leads to improved control and efficiency. The more data is processed in its breadth, the more comprehensively the company's behavior can be checked for errors. These advantages can be seen, for example, in the area of money laundering prevention. In so-called smurfing, criminals smuggle the money to be laundered into the bank in random pieces via many different straw men. If the deposited amounts are viewed in isolation or at least not in the right combination, no connection can be made between the individual transactions. Often, a money laundering check carried out by humans cannot detect such cases.
Moreover, digital compliance tools are not only able to recognize a connection between individual actions, they also "learn" from previous cases and recognize patterns in processes and behavior. This helps to identify so-called "false positives" - i.e. actions that are considered violations but are not in fact violations - which minimizes the susceptibility to errors. So in addition to the improved review in breadth, the review in depth is also optimized.
Legal guard rails for digital compliance tools
The use of digital compliance tools is subject to legal requirements and limits. However, anyone looking for a general "regulatory law" will not find one at present.
In particular, the legal framework for the use of AI-based systems is still in its infancy. The OECD has formulated recommendations on the legal treatment of AI, but these are legally non-binding. According to these, "human-centred values and fairness" in particular should be respected. Above all, respect for human rights such as privacy, data protection or protection against discrimination and internationally recognized workers' rights are emphasized.
The EU Parliament recently passed the AI Act, the world's first AI law to regulate the use of artificial intelligence. These rules are not yet binding either; talks with the EU member states in the Council on the final form of the law are just beginning. The German government also plans to regulate the use of AI in the workplace. However, more than a ministerial paper is not yet available here either.
Internationally, too, AI regulation is still predominantly at the draft stage (e.g. the Chinese draft of measures for the management of AI services, here the English translation by the University of Stanford), the targeted tightening of national laws (e.g. in Japan, "Data Protection Law" 2022, English version) or the publication of general policy papers (cf. e.g. the US FTC's "Principles for the Treatment of AI Systems"). e.g. the principles for the treatment of AI systems of the US FTC).
The most important source of binding regulations for the use of compliance tools in Germany and the EU are therefore existing EU regulations and national laws. In the coming articles in this series, we will show you which legal limits and requirements currently apply to the use of digital compliance tools in Germany and in which areas of application compliance tools have already proven their worth. The next article will deal with "Software and Sanctions Screening".