The Regulatory Compliance Technology Buyer’s Process: A Step-by-Step Guide to Automating Your Compliance Program U.S. edition

INTRODUCTION

The purchase of a regulatory compliance technology solution requires an incredible investment of both time and resources. For investment advisory firms who have never purchased this kind of technology before, or have not done so in recent years, the complexity of the process can be incredibly challenging, even in some cases derailing the project.

As an industry-leader, ComplySci has worked with firms, big and small, to address unique need and heightened regulatory requirements with a technology-backed compliance program. After two decades, we’ve learned a thing or two about what it takes to move your program forward and get the buy-in you need from key stakeholders.

In this guide, a complementary piece to our RegTech Buyer’s Guide, we provide regulatory compliance professionals with a step-by-step process to help you navigate the buying process, including who should be on your procurement team, how to align technical and functional requirements and how to assess potential vendors.

SECTION 1: AN OVERVIEW OF THE REGULATORY COMPLIANCE TECHNOLOGY PROCUREMENT PROCESS: DEFINING YOUR PROJECT AND THE PROCESS FOR SELECTING AMONG COMPLIANCE SOFTWARE SOLUTIONS

Securing a new (and ideally effective) regulatory compliance technology or software solution for your investment advisory firm requires more than just a monetary investment. Your time, resources and energy will undoubtedly be required. Before you can get to the purchase and integration of your new technology though, you must lay the groundwork — aligning your project scope, budget, requirements and so much more.

To do so, we suggest asking yourself:

Is this an idea or a confirmed project?

While the idea of a compliance program backed by a trusted regulatory compliance technology provider sounds amazing, the actual process tends to be a little more complicated than just “plugging it in.” Defining where you are in your project, and whether or not it can even be classified as an official project, is the first step.

Going from idea to official, confirmed project requires a few steps:

1. Explain the challenge or problem: Why do you need a new regulatory compliance technology? What kinds of large- or small-scale problems are you experiencing, which you believe could be solved by this investment.
2. Define your project goals: If you are looking for executive buy-in, you’ll need to address why the project is worth the investment and what you hope to achieve.
3. Scope out the project: While your compliance technology provider will help you fine-tune the timeline, you should come to the project with an idea of when you hope to complete the project, how long it will take and who will be involved (more on that later).
4. Establish budgetary constraints: It’s time to address budget. While you can hope for your new investment to solve everything under the moon, establishing a budget ahead of time will help you scope out what constraints you have and, in the long-run, help you determine must-haves from nice-to-haves.
5. Create a plan of action: What’s next? Define the steps you plan to take to assess and select a compliance technology provider.

Have you bought regulatory compliance technology previously? 

If you are moving from one compliance technology provider to another, you may already have a procurement process in place. If you haven’t, or even if it’s been a while since you purchased a new technology, it might be wise to review the steps, which should be taken to ensure you are adequately assessing options on the market and selecting the right provider and technology for your financial firm.

While the steps within this guide will help you establish a procurement process, it is essential to confer with your entire team to ensure everyone is on the same page and in agreement with the steps, which will be taken to select your vendor.

Do you know how to define your requirements for a regulatory compliance technology? 

A crucial step to procuring the right compliance technology or software is understanding what you really need out of it. By aligning the challenges you are trying to solve for with the capabilities of your new technology, you can be sure you won’t be left with buyer’s remorse post implementation.

To accurately define your requirements, you should:

1. Speak with the various departments who will be using the technology to gain an understanding of the requirements from every perspective.
2. Categorise the challenges you are attempting to solve for. This step is critical to help you define what your core challenges are versus your second-tier challenges.
3. Define must-haves versus nice-to-haves. While you can make a wish list a mile long, establishing what is a make-or-break for your technology will help you assess the various options on the market.

Top tip: Check out our Regtech Buyer’s Guide to get a checklist of requirements and must-haves for your procurement process.

Do you know who needs to be involved in the process? 

While your compliance team may take the lead in the procurement process, they likely won’t be the only individuals on your buying team. In fact, if your buying team is solely made up of the compliance department, you may overlook critical requirements.

Teams which may need to be involved in the procurement and purchasing process include:

Once you have a buying or procurement team in place, ask yourself:

1. What steps need to be taken to progress a purchase with this team? 
2. Does the team have authority to sign off on the selected vendor? 
3. Do you understand the process for getting sign off? Is there a documented set of steps to sign off on the project?

Analyzing current regulatory compliance technology solutions

Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA) and state regulations and industry risks continue to evolve, demanding more technological investments made by investment advisory firms such as yours. To understand what you require in a regulatory compliance solution, you have to assess where your firm is right now and where it could be in the future.

Do you already have something in place?

Whether you are moving away from manual processes or transitioning between compliance platforms for your financial services firm, there are a few key factors (internally and externally) to take into consideration when selecting and transitioning to your new compliance platform.

1. Manual: Many financial firms rely on manual processes, such as email, to manage their firm’s compliance programs. While this might be a passable solution, manual processes are prone to human error, which puts your firm at risk of rule violations and potentially detrimental consequences. As your compliance team sees its scope increase, handles more and more information and data, relying on time-consuming manual processes is unsustainable and can expose your firm to significant risk.
2. Semi-manual: Some firms implement a semi-manual process, in which they rely on their compliance team to manually process some information, while automated solutions complement those efforts and process other information. While this is a marked improvement compared to completely manual processes, this process is still prone to human error and can result in tasks “falling through the cracks.”
3. Existing third-party technology solution: To help save on costs, firms may contract an outside vendor for compliance software needs. In this case, the firm will often have an internal team partnering with an external vendor for technology needs. While this can be cost effective, it does create limitations given the software is not your own.
4. Existing third-party management solution: Some firms have opted to outsource the management of their compliance program to a third-party vendor. If your firm has chosen to do so, determine if your firm is contractually tied to this thirty-party vendor and, if so, for how long.
5. Internally developed solutions: There are several reasons why firms may develop internal solutions for managing and automating their compliance programs. While building your own system can afford you a tailored solution to meet your organization’s specific needs – including adding new capabilities into the company’s IT infrastructure – doing so requires a significant investment of time, money and internal resources both upfront and on an ongoing basis.

Why are you looking to change?

Firms have countless reasons for why they might change the way they are managing their compliance program. Sometimes, the compliance team might find their scope of work is much larger than they can handle using their current process, so they have to make a change. Or, your firm might opt to change its process for the sake of cost. Other reasons a firm might decide to change the way it manages its compliance program are:

Understanding your regulatory compliance technological requirements

As your investment advisory firm evaluates options, don’t be afraid to ask questions about systems and solutions you are considering. A sentiment which is especially true in terms of your technological requirements. Even if you still primarily rely on manual processes for your regulatory compliance needs, your firm has likely already onboarded key software, which may need to integrate with your new solution to avoid data siloes and other challenges. Additionally, in an increasingly digital world, you face the risk of digital threats, which make your cybersecurity requirements an essential component of vendor selection. Assessing these kinds of technological requirements will require a heavy lean into your IT team, however, armed with the right information, you will be better able to evaluate the suitability of new solutions.

Are you tied to a specific technology stack?

Your financial firm will likely already have a technology stack in place, an understanding of which will be crucial to the evaluation of potential vendors. Work with your IT department (who should already be part of your procurement team) to gain a better understanding of your technology stack, how it integrates and any limitations it could place on your selection.

Consider:

• Do you know what programs make up the stack?
• Do you know why you’re tied to the program(s) in the stack?
• Will this be a restriction on what compliance technology you buy?

Integration points

The integration of your compliance technology will be crucial to the success of the project. While automation on its own can be beneficial, when a firm relies on multiple siloed platforms to perform disparate functionalities, it can create gaps in your firm and its processes.

Following the analysis of your technology stack, you will likely have a baseline for which platforms should integrate with your new regulatory compliance solution. Work with your IT team to understand where it is feasible for the compliance solution to integrate and what kind of timeline and delivery you can expect, this conversation should cover:

• Scope of integrations.
• Timing.
• Delivery.
• Responsible parties.
• Load testing.
• Cost/benefit analysis.

Regulatory cybersecurity

As we have seen this past year, the threat of cyberattacks has become a focal point for regulators around the globe, as the sophistication and impact on cyberattack victims only continues to increase. The SEC and FINRA have been particularly vocal in recent years about the detrimental impact cyberattacks can have on financial firms.

Your firm will want to ensure the regulatory compliance technology selected meets the data privacy requirements of all applicable regulations, while also meeting the data privacy needs of your firm and its clients.

Your IT team will likely lead the charge in the evaluation and qualification of any cybersecurity measures, however, as part of the procurement team, it is helpful to have some basic awareness around potential risk points.

Type of data elements

• What personal data is being processed?
• What category of data does this fall into?
• What is the lawful basis to collect the data?

What format and in what location is the data stored:

• Digitally/shared apps/mobile phone access.
• Cloud/third-party providers.

Transfer method

• How is data being moved across different systems?
• What integrations are setup to move the data?

Accessibility

• Who has access to the personal data?
• Who is accountable for the protection of personal data?

You will also need to address security, technical and organisational measures  to meet certain qualifications, including those under GDPR.

Security measures – must ensure ‘confidentiality, integrity and availability’ of your systems and services and the personal data you are processing.

Technical measures – Cybersecurity/encryption/physical security/passwords.

Organisational measures – Infosec policies/regular DP assessments/audits/training.

As your firm determines its technological requirements, it should consider several cybersecurity-related questions:

• How will you host the platform? On premises or on the cloud?
• If you plan to host on the cloud, who is your provider? What cybersecurity measures do they have in place?
• Does the potential compliance technology have a security alert system?
• Will the firm’s data be transferred to the platform and where will it be processed?
• Does your firm have a data privacy policy in place which complements the potential compliance technology or will your firm have to make some changes to its policy?
• Does the compliance technology offer the ability to delete data?
• How does the compliance technology encrypt data?
• Does the vendor have a data privacy policy? And how does it compare to your own?

Incorporating the functional requirements for your regulatory compliance technology

Functionality wise, your program will likely have a specific set of needs and requirements specific to UK-based financial firms, which must be met to qualify the implementation of your new regulatory compliance technology as a success. Your compliance requirements, while integral to the overarching usage of the technology, are not the only considerations which should be made for this purchase. You will likely need to tap your resources from multiple departments to gain a 360-degree picture of all needs and requirements across the firm.

Because remember, compliance is a firm-wide activity, and your technology choice should reflect as much.

Regulatory compliance requirements 

As a compliance professional, you will likely have the most first-hand knowledge and awareness of the compliance requirements for your new regulatory technology. However, if you are moving from a completely or partially manual process, you may not be aware of the specific functional needs you will inevitably require. After all, you don’t know what you don’t know.

To help you avoid buyer’s remorse and ensure a smooth transition to and effective use of your compliance technology, you may consider:

1. Is this a point solution or a broader compliance solution?
2. Does the technology incorporate both preclearance and monitoring functionality?
3. What is the user experience for both the compliance team and employees?
4. How secure is the technology or platform?
5. How scalable is the technology or platform?
6. What kind of reporting or analytics is available?
7. How customizable is the solution?
8. Are industry-specific modules available within the technology or platform?
9. Are other managed services provided with the solution?
10. What kind of customer service or support is provided?

Check out our Regtech Buyer’s Guide for a more in-depth dive into functional requirements and technology qualifications.

Human resources (HR) requirements

Your HR team will play a significant role in your compliance technology, especially in regard to onboarding and offboarding your employees. As such, an understanding of their functional requirements will be necessary to ensure your compliance and HR departments are able to fully realize the potential of your regulatory compliance technology.

You will likely have identified an HR representative to join your procurement team during the project development stage, however, if you did not, you should assess who from HR can assist you in delineating their functional requirements for the technology. This may include, as mentioned, onboarding and offboarding, as well as the associated certifications and attestations.

It is critical to gain this insight prior to making a purchasing decision as it may impact the technology vendor you select and the overall effectiveness of the project.

Employee requirements

Outside of the core compliance team, your general employee base will be one of the biggest users of the platform. The user experience on the employee end is almost as important as the compliance team user experience as it may determine how widely adopted your technology is throughout your financial firm.

If your employee base doesn’t effectively use your technology the investment will have been for naught.

How can you address employee requirements to ensure it meets the day-to-day needs of your firm? You may consider both quantitative and qualitative means. A firm-wide survey may be a good place to start to get an understanding of how your employees rank different qualities and user needs, however, you will likely need to follow up with one-on-one meetings to gain a clearer picture of the specific requirements from each department.

In your research, consider assessing the:

1. Access capabilities and security requirements.
2. Degree of user-friendly experience.
3. Customization for employee workflows.
4. Enhanced communications.

While the functional requirements from the various departments within your firm may add a level of complexity to your procurement and purchasing process, gaining clarity on the day-to-day needs will help to reinforce effective usage of the technology post integration.

Establishing qualification questions for your regulatory compliance technology procurement process

It’s almost too easy to think of your project in a silo, however, this can often be to the detriment of the project and the procurement team’s success. Gaining clarity around such qualifications as resource competition and budget, will help to alleviate unnecessary stress throughout the project and ensure your team and your entire financial firm are aligned on the whats, whens, wheres and whys of your compliance technology procurement plan.

Resource competition

Even if your firm has had a record-breaking year, resources are limited. There are only so many team members and so much time to be spent on your procurement project. With that in mind, and remembering that you will need member participation from multiple departments within your firm, we recommend assessing what else your team members have on their plate.

With almost 100% certainty, team members from all departments, including those who might be on your procurement team (IT, HR, compliance and finance) will have other critical firm needs to attend to throughout the duration of the procurement. Qualifying what those resource-consuming needs may be, and how much time and effort they require from the team, will give you insight into the resources available for your project.

Ask yourself and your team:

• What are the resource needs of the project? Is it in line with available resources?
• Do you have an understanding of who will be working on your procurement team and how much will be required from them?
• How much time will project team members be able to devote to your project every week? Every month?
• Will your project require more resources than currently available? Can that difference be made up with a longer timeline or additional team members being added to your project?
• Are there foreseeable resource drains which could affect the project?

Project competition

Along with resource competition is the likely competition of other critical projects within your firm. Think of these projects or items as outside the normal scope of resource allocation. As big-ticket items, they will likely take budget and resources away from your project. Prioritizing budgets and resources allocated to the ongoing projects within your firm will help you both accurately budget and timeline your own needs, and hopefully avoid future project roadblocks.

Ask yourself and your team:

• What are the critical ongoing projects at your firm?
• Are there any other critical projects expected throughout the duration of the procurement timeline?
• How is this project prioritized in comparison to ongoing projects? How will it be prioritized in comparison to future projects?
• Are there additional resources available should team members be pulled away for other projects?
• Is there flexibility within this project (timeline, budget, etc.) to accommodate for any unforeseen project competition?

Regulatory compliance technology budget

As you know, the budget for your project will be one of the most significant aspects of defining and qualifying potential compliance technologies and vendors. After all, if it isn’t in the budget, it likely isn’t happening. By establishing your budget early on – or aligning the process for how to go about getting budget approval – you will help to not only eliminate costly, out-of-budget options, but also gain clarity into expectations, such as return on investment (ROI) expected from your project.

Ask yourself and your team:

• Does the project have an assigned budget? If not, do you know your process for obtaining one? 
• Do you need to get budget approval for the project? 
• Do you understand your budget approval process for new spend?  
• How will you demonstrate ROI to get sign off? 
• Do you need approval from your chief financial officer (CFO)?

Timeframes 

The timeframe for your project, and associated deadlines, will help keep the procurement process on track and help your team align with your vendors integration team to ensure smooth delivery. Clarifying any major deadlines or due dates prior to the project kicking off, especially if you have a strict deadline for implementation, will better refine the project itself and the needs within. It is important to note shorter deadlines will put a strain on resources and budgets, balancing the two will be important to the overall success of your project.

Ask yourself and your team:

• Do you and your team/firm have a clear understanding of the project timeline?
• Do you have a strict deadline you must meet?
• Is it feasible to meet all project deadlines within your timeline?
• Is there any flexibility on specific deadlines?
• Who is responsible for which deadlines within the project timeline?
• Have you documented your project timeline requirements to share with potential vendors? 

The selection of your regulatory compliance technology and vendor

Once you’ve selected your procurement team, analyzed resources and gauged both technical and functional requirements, you’re ready to begin the vendor selection process. This will likely take time and will require you and your procurement team to meet with, analyze and review regulatory compliance vendor options for UK financial firms, comparing features and functionality with the requirements of your financial firm to ultimately find your best-fit investment. Your prior efforts will aid in this process, establishing your preliminary needs, however, as you go through the selection process, you will want to keep specific checkpoints in mind. 

Functional fit 

This aspect should be one of the easiest to assess as you have allocated resources earlier in the procurement process to analyze your functional and technical requirements. How well does this vendor’s technology meet those requirements? Are there any gaps? Will the vendor address or customize to fit your needs or are you willing to let go of some of your requirements based on other criteria? How does their solution integrate with your existing tech stack?

It will be crucial for your procurement team to have an in-depth understanding of, and agreement on, your must-have functional requirements versus your nice-to-have functional requirements for this step. Without a predetermined set of requirements, you will likely struggle to come to a cohesive agreement on which technology is the best functional fit, with each team member vying for the technology which will support their department most effectively.

Cultural synergies 

While it may not seem like a necessary qualification, a good cultural fit is vital to the ongoing success of your technology implementation. Without a good working relationship, you may struggle to take full advantage of your new investment, leaving you with the dreaded feeling of buyer’s remorse.

Compliance technology implementation and project teams

Your implementation and/or project teams will be responsible for the kick-off of your new technology and as the saying goes, you can’t make a second first impression. Meet with your assigned team to ensure your agreed upon implementation timeline and schedule will work for all parties. By doing so before, any agreement is signed you can help mitigate any potential miscommunications down the line.

Service and response 

The service and response time of a vendor is almost as important as the technology itself, especially when you are dealing with sensitive data and information. If the platform goes down or you need an answer to a critical question, will there be support staff available to you? Make sure you know what kind of service the vendor offers before you are faced with a crisis. Any good vendor will provide access to their customer success and support teams ahead of decision time, speak with them to better understand their operation and who your main point of contact will be post implementation.

Price and budget for your regulatory compliance technology

You will likely come into the vendor selection process with a predetermined budget. How well can the vendor match your budget and requirements? While cost is a critical factor, sacrificing potentially necessary requirements can be detrimental to the success of your compliance program moving forward. Make sure you are comfortable with the balance between price and performance, and gain clarity into any potential increases in price you may face in the future.

Price increases can include:

• Yearly adjustments.
• Additional users/seats.
• Additional add-on services or modules.

Financial client data risk 

The kind of information which will be fed into your new regulatory compliance technology is extremely sensitive, which means risk, especially of the cyber variety, must be a factor in your decision making. What kind of cyber protection does the vendor offer? Have they had breaches before and what was the impact? Protecting your critical data is one of the top priorities and your vendor should have measures in place to mitigate those risk points.

Ease of adoption 

What does implementation and adoption look like? Does the vendor provide training on the platform or is it an intuitive interface? If the technology requires a steep learning curve, you will likely struggle with firm-wide adoption, negating the benefits of this investment from the start. Access to the vendor’s project team is also crucial. Meet with them, understand the project plan and make sure you understand your commitments to the project in terms of people and time not just the money.

Usability

Hand-in-hand with adoption is the usability of the platform. How functional is it for employees to access and navigate? Is mobile access provided? Your employees already have hours of work on their plate, if this platform adds even more work to their day, they likely won’t use it and you’ll be right back where you started, manually tracking down attestations and certifications, which this platform or solution should have automated.

Ongoing vendor development 

Regulatory compliance isn’t stagnant. Your technology shouldn’t be either. New regulations and requirements put new pressures on your firm and the technology investments you’ve made. Look for a vendor dedicated to continually improving their solution, updating and releasing new modules to address the needs of the industry.

Level of consultative service 

There is a stark difference between a vendor who simply passes off an out-of-the-box platform or solution, and one who works with your firm to consult on the needs and requirements to ensure a proper fit.

While for some firms, an out-of-the-box, hands-off approach might work, for others, a more consultative, customised approach may be necessary to ensure your firm needs are fully met. Make sure you and your vendor are in agreement about what level of consultative service you will require in the implementation process and on an ongoing basis. Make sure these services, the deliverables and the timescales for delivery are all included in the contract. Don’t settle for anything less.

Other services on offer: Regulatory compliance education, consulting and managed services

Some vendors will provide additional offerings, such as education, consulting and managed services. While you may not want to take advantage of these services up front, knowing you have a trusted vendor who has already made it through the vetting process and who can provide additional solutions when and if you need them will make things much easier down the line.

Resources beyond the regulatory compliance technology

What else will the vendor provide to ensure you are maximising your compliance technology investment? Maybe it’s a resource center with how-to articles and videos, or a monthly webinar series to address key functionality and new updates. These types of resources will be crucial to staying on top of your compliance game.

Conclusion

Investing in and implementing a new regulatory compliance technology is no small task. Despite the heavy lift needed from your internal team and new vendor, when you can align your key stakeholders around executable tasks, you can achieve the common goal of automation and enable a firm-wide culture of compliance.

Ready to select your vendor and begin the implementation process? Download the RegTech Buyer’s Guide to get more information on how to align your needs with a vendor’s capabilities.