The Fraud Cast: Technology and the regulatory compliance challenge
Technology and the regulatory compliance challenge
Transcript
Fran Marwood: So good afternoon to you all and a very warm welcome to the latest edition of our Fraud Cast series. My name is Fran Marwood and I'm a partner in PwC Cyber and Forensics practise. And in our last Fraud Cast we discussed the new failure to prevent fraud offence. And now that the enforcement date of 1st of September has passed, we thought it'd be timely to delve into how the compliance landscape is evolving and some of the tech related challenges that organisations are currently facing.
And as part of that, we'll be touching on the pace of changing compliance demands, how technology is helping organisations to keep pace, and some of the practical challenges that you all face when you're implementing new compliance technology.
And as usual, we'll be asking some poll questions during the session, and we'll also be taking questions at the end. So please use the question function if there's anything you at all you want to ask the panel. And so without further ado, let's turn to our panel members today, and I'll kick off by asking each of our panellists just to introduce themselves. So Emma, over to you.
Emma Tyler: Thanks, Fran. So I'm Emma Tyler, I'm a director in our forensics practise With a background in 3rd party risk management.
Rob Stephenson: Hi I’m Rob Stevenson, I'm a director in our compliance controls and regulations team
Craig Mckeown: Hi, I’m Craig Mckeown. I'm a partner in our forensics data and AI team and I help clients select and implement technology mostly in the compliance and fraud areas.
Fran: Well, thank you all for those introductions. We're actually going to depart from the norm now and kick off the session with a poll question for you all and we'll come back to this in a few minutes.
So the poll question that we kicking off with you should be able to see on your screens now. It's a big question. What's your organisation biggest challenge in managing compliance effectively?
And we've got a bunch of options there for you, people and culture, Tech and automation, governance and controls, data quality, which is a theme we'll be coming back to and getting better collaboration across functions.
So now that that question is out there, whilst we're all thinking about that poll question, let's move on to our first question for our panellists. As we all know, compliance demands are increasing faster than ever with ECCTA adding another important layer of responsibility for compliance teams. Emma, I wonder given your experiences of working with clients on ECCTA readiness, how do you see ECCTA shaping current compliance priorities?
Emma: Yeah, thanks, Fran. So, so yes, for those that joined the last session, we covered ECCTA and I think as you said, it's now effective as of September. So I suppose just to start with, there's a major piece of UK legislation. It's really kind of opened up that transparency and fighting economic crime topics with clients. A lot of the work we've been doing in terms of the run up to that one September date has been looking at things like their framework but also risk assessment. And that might be bringing in a new one or kind of updating and refining what they already have in place. Particularly because this is about a lens of organisations benefiting from fraud rather than being a victim, which is obviously a key differentiator.
Now that we've kind of passed that one September kind of milestone, we're really seeing clients starting to turn to think about their control framework. So either looking for opportunities to simplify that but also enhance that. And I think that's where that gets quite interesting. Then in terms of the kind of technology landscape and the use of data, particularly around that both in terms of responding to ECCTA, but also the opportunity to help with different compliance obligations.
So couple of examples to bring that to life, be that around transaction monitoring, be that looking at the pipe resilience, which is just a hugely topical issue in the market at the moment. How do you get around conflicts of interests are really kind of deep diving on that. And then the kind of integrity and reputational risk areas as well.So a real opportunity to solve multiple problems with that technology.
Fran: Great, thanks for that. Rob, you've recently coauthored our global compliance survey, which where we spoke to 1800 clients about, you know, how compliance is evolving and some of the challenges that they're facing .It'd be great if I could get, I could get your thoughts on the, you know, the broader compliance landscape.
Rob: Yeah, I mean, the survey showed there's an overwhelming view that the compliance landscape is, is getting much more complex. And in fact, 85% of the respondents said that just in the last three years, it's become much more complicated. And there's a there's a number of factors driving now. I think there's the customers and consumer expectations are much greater now on clients. The regulatory scrutiny is much more increased. And we're in a very dynamic geopolitical landscape at the moment. And that obviously has an impact as well as to what's coming. ECCTA is a great example of that.
There's the GDPR changes that are coming, the EU AI Act, corporate governance reform. There are so many, but it's not just the number of new regulations that are coming from, it's the, it's the speed that they're coming up at companies. And that's what's really causing the problem in slowing down organisations is the complexity. Sometimes they're overlapping, sometimes they contradict each other. So that's really causing challenges. And what we saw in the in the survey was actually there are those companies who are on the front foot, who are what we call compliance pioneers. They're starting to think about how do they not just manage the risk, but how do they navigate their way through the risks, through the regulations and navigate compliance. And that's putting them on the front foot, becoming much more strategic and really accelerating how their organisations continue to move forward and, and to manage those risks. And they're doing that through obviously introducing technology, AI, data analytics, one of those usual kind of suspects.
Fran: Thanks for that, Rob. And we'll move on now to the answers from our poll that we ran. And we, you know, we, we can, we can all see the poll in front of us. And you know, coming out top of that list is how you all leverage technology and automation.
And then there are others in there that are coming out joint second, really strengthening governance and enhancing data quality and insights from the data, which as I mentioned, we'll come on to.
But just with those technology challenges that are in the poll there in mind. Rob, I wondered if I could ask you how are you seeing organised patients adapt their approach to compliance given some of those challenges?
And, and secondly, really what role you see technology playing as part of that companies adapting?
Rob: Yeah, I think the adaptation is really around that historically, compliance has been a kind of a reactive function. Something's gone wrong, compliance, get called in to come in, identify recalls, figure out what was wrong, and then put some corrective actions, preventative actions in place to make sure it doesn't happen again.
What we're seeing now is these compliance functions being much more proactive. They're starting to predict where the risks are through using data analytics. So that type of technology is allowing them to identify outliers, identify themes and trends over time, and that's really putting them on the front foot to identify the smoke before the fire even starts. So we're seeing that with obviously the use of AI through automation, data analytics, but generally taking some of those activities that compliance have historically done, that was kind of turning the handle quite resource heavy into something much more automated.
And that's, as I say, putting them on the front foot, but it's also freeing them up to provide greater value back into the organisation. Compliance is really a centre of an organisation and with all of that data and insights they have, they can really start to add value back in and across multiple functions as well.
The other emerging development that we're seeing is the use of third party data. There are quite a lot of organisations now are starting to take that third party data and enhance the picture that they have. So they've got their own internal data. You add in 3rd party data and you get much more of a holistic view across what is going on. And that's a real change in the approach as well.
Fran: Thank you for that, Rob. And I suppose moving on to you, Craig, you work with a number of our tech alliances and I wonder if you could talk a bit about how new technologies creating opportunities perhaps in areas like third party risk management and supply chain integrity.
Craig: Yeah, there's some fantastic technology out there. Fran and Rob made some really great points there. So one point is obviously trying to take away a lot of the manual work from teams, as Rob said, a good example of that, one of the partners we're working with focuses on supplier onboarding, again, a process that was always quite manual and, and heavy. So a lot of automation, use of AI to onboard suppliers as quickly and easily as possible. But another one of Rob's points then once you know who that supplier is, what other external data can you draw in around their financial status, their cyber security, their ESG standing? So the richness of the data you hold in that supplier is so much better than what it would have been previously, and the effort to get it in is much quicker and easier. So that's a really good example.
And then obviously maintaining that data as you go along so it doesn't go out of date and keeping it relevant. Another area which touches on one of Rob's points in tech is an area called entity resolution. So yes, clients have all this data in their organisation. There's all these external data sets on the market, but when you go to put those all together in one place and if you've got individuals or organisations that are listed in different of the data sets, historically that would have been a real problem.
So a really good example, PwC may be listed as PwC, Pricewaterhouse, Pricewaterhouse Coopers could be 20 different ways it's listed. That could be duplicates. When you have that in one data set and you match it to 10 other data sets, you just have a real mess of understanding as to is this the same organisation? Is this a different one? The area of entity resolution uses very clever methods to work out which of those is the same organisation or the same person and to match that. And once you do that, it sounds fairly trivial, but if anybody's involved in data, we'll understand it's a big problem and a lot of that is solved. Now. These technologies can work that all out and then you can pull in all the data held in all those different data sets on an organisation or an individual so that as to Rob's point, then the decisions you can make off the back of that and you know, the insight you get is way more than would have been even a few years ago. So that's a really exciting development.
The last one I'll touch on is the use of AI and agents or agentic AI as we hear about. I have to say there's probably not lots of our clients that are already fully deployed agents across their organisations, but some have made the start. A lot are in the proof of concept stage, but a really good example one of our clients has deployed agents already and whenever their team come up with a query or an issue around a contract, they can ask an agent a question about the contract they have with the supplier. The agent goes off to the contract lifecycle management system, finds the right contract, pulls out the relevant information, brings that back and displays it for the compliance team to make a decision. So still human involved, it's only bringing back and displaying it, but the time savings and the efficiency to get to the right, the right information is, you know, way quicker and just making people's jobs a bit easier, easier now.
Fran: Thanks for that practical example, Craig. And, you know, touching on the point of how important data is, it's often the point that, you know, can get overlooked, but, you know, getting that right and getting the right foundations, it's obviously really key. So thank you for that.
I'm really interested in what our audience thinks about compliance technology as well. So let's hear from you all again about some of the challenges you're facing around tech adoption. So we'll have our second poll question now. And the question is on the screen now, what's your organisation biggest challenge in adopting compliance technology? And you know, we we've got some pointers there based on our client conversations, but things like building, building a business case and the investment case, choosing a vendor amongst all the market noise. And there is certainly no shortage of that data quality which we've already touched on integration with existing systems. And also that last point there starting the just knowing where to start with the, the AI journey.
So whilst you're all thinking about those poll answers, let's move on. Emma, I wonder if you'd be able to just touch on for a for a minute or two, a real life example of where we're working with clients in the compliance technology space just to bring some of this stuff to life.
Emma: Yeah, sure, Fran. So a really good example is some of the work we've been doing with the global consumer markets client and we've been helping them kind of transform how they do compliance investigations. So previously before the before the work we did, this client had very manual processes. It was very resource intensive process and kind of responding to an initial whistle blowing allegation took weeks.
So what we've done is leverage some of the functionality that that Craig's mentioned there to bring in a decision intelligence platform, really to bring all of those different data sources that are points of kind of Intel, if you like to kind of corroborate and validate a particular initial kind of first triage of a of an allegation. And we've brought all that together to create kind of a single unified view of a particular entity, so a supplier in this particular case. And that's allowed us to reduce that kind of investigation time from weeks to minutes in terms of having all that data at your finger fingertips.
What's been particularly interesting, I guess probably compared to some peers in in this space as well though, is how we've also been able to work alongside compliance and procurement together. So leveraging some of those data sources, which when you brought them all together, as Craig was mentioning, we've been able to serve both answers around the kind of compliance investigation piece, but also some of those initial kind of preliminary checks before onboarding that particular supplier, but also have things kind of change through that in life management process. So the ability to bring those teams together and kind of solve for multiple, I think is really powerful in terms of where these technologies go.
Fran: And have you come across any challenges as part of that experience?
We will be coming onto challenges, but in terms of how those different bits of the business have worked together?
Emma: Yeah, I think a little bit is it's kind of making sure everyone's got their voice heard within that and making sure that, you know, when you're kind of designing the scoring and then I guess the inclusion of all the different risk errors. You might want to look at how do you get that balance in terms of kind of starting small but not kind of boiling the ocean too quickly and kind of bringing everyone on that journey.
But yeah, we might talk about that I'm sure in a bit as well.
Fran: That's a really good example I think of how technology can really transform compliance activities. But as I sort of touched on them, we do also see some practical challenges. And Rob, I wonder if you could tell us a little bit about some of the practical challenges or hurdles that you've seen when you've been working with clients to, to implement some of these systems and when, you know, when clients decide to invest some of the things that can go wrong.
Rob: Yeah, the obvious challenges are building the business case to start with, especially from a compliance point of view, which is often seen as just a cost to the organisation rather than something that generates revenue. So building that business case is key, and it’s really about demonstrating the value. We touched on this a little bit already, in terms of how much more the compliance team can do, becoming more strategic and helping companies continue to meet their commercial imperatives. That’s ultimately what will drive investment into the technology.
The second point is data readiness. You need to have your data in a good position — it needs to be accessible and of a decent quality. Having fragmented data, or data coming from multiple instances of the same technology, makes life very difficult and makes it harder to extract meaningful insights. So data readiness is another key challenge that organisations really need to get a grip on and build strong foundations for.
Fran: Great, no thanks. Some really valuable points there. We’ll look at how that compares to the results of our second poll question now. So, just as a reminder, the poll question was: what is your organisation’s biggest challenge in adopting compliance technology? Perhaps unsurprisingly, data quality and readiness came out at 41%, which ties in with what we were discussing earlier. If you’ve got your data in a clean, globally consistent state, firstly you’re in a very rare position, and secondly you’re much better equipped to build on some of this.
The second highest response was around integration with existing systems and processes, which is a significant challenge. We often find that legacy systems can be difficult to tap into, and 23% of you are clearly experiencing that. Then around 18% highlighted the business case. Picking up on that point, Craig, based on your experience supporting implementations, I wondered if you could share some practical advice for our viewers on how best to get started when thinking about new technology.
Craig: Yeah, and Emma mentioned it earlier, Fran. Cross-functional collaboration is something we consistently see as a key success factor across many of the projects we deliver. It may start with a compliance team looking at a technology solution, but getting finance, IT and procurement involved early is really important. That might be because they’re part of the funding process or risk considerations, but also because compliance processes often touch those functions either before, after or as part of the workflow. The earlier you bring everyone in, the better the design of the solution, as it reflects a broader set of needs. In many cases, the same technology can serve multiple functions, and that can allow you to draw on different budgets and create a larger overall investment pool.
We also strongly recommend starting small, as Emma mentioned. Focus on one clearly defined use case where you can measure value and deliver success. That success helps build internal credibility and creates a positive culture around the initiative — you can point to tangible outcomes, demonstrate value, and show that it was achieved with relatively modest investment. That, in turn, makes it much easier to secure further funding. By contrast, trying to do too much too quickly can lead to high costs and poor outcomes, which makes it very difficult to justify continued investment. So it’s far better to start small, deliver success, and then build from there.
Another key piece of advice is to get hands-on with the technology as early as possible. We often run proof of value or proof of concept exercises and encourage the teams who will ultimately use the tools to get directly involved. Vendor demos can look impressive, especially with clean, simple data, but they don’t always reflect real-world complexity. When people actually use the tools themselves, you get much richer feedback. If the experience is positive and the team can clearly see the value, they become advocates and help spread that message across the organisation, which builds momentum and confidence.
So we always encourage running proof of concept exercises, getting teams involved early, and testing whether the technology truly delivers what it promises and whether people find it useful.
Fran: I’d also echo the earlier point about bringing different parts of the business together. What we often see is that the same technology can support multiple use cases across an organisation, even if different teams are initially looking at it independently. Joining those dots and pooling budgets can be very beneficial and may even reduce overall spend.
Rob: Ultimately, a lot of this comes down to the data you’re working with, for example, SAP data might support tax compliance, financial controls and broader regulatory compliance, so there’s real value in taking a joined-up view.
Fran: So it's not just your obvious ones, is it?
Craig: No, it's just, and if you look even getting it involved sometimes a lot of cases like IT are running the projects if it's an implementation of tech, but you know, having one solution that can serve as multiple functions to do similar things. An IT team creates less work in terms of having to implement three different platforms, having to go through all the security reviews, having to make sure it's cyber secure, all of that. If you have only one platform, it makes it easier. So again, just having that conversation early, you can get some of these functions on board earlier and supportive of IT, which helps with your business case.
Fran: That's great and some great practical points there. Well, that's a bit where we move on to the questions.
And I'm always pleased to see a big long list of questions coming through. So we'll, we'll start to work our, our way through a few of those. So if, if there I'll, I'll go with the question and you guys just jump in as, as you feel like answering them. But I mean, the first one there, we're hearing a lot about AI in the compliance space from your work with clients. What themes are you seeing around AI adoption across different sectors?
Rob: The compliance survey gave us a slight view on this as well. There’s kind of two speed lanes, I guess at the moment with AI adoption for compliance, and it’s predominantly in the FS and the tech space, unsurprisingly. But they’re really forging ahead with the use of AI in the types of monitoring they do and some of the financial aspects of that, for the other sectors slightly slower. And I think the reasons for that are probably comes back to data and whether they’ve got their data in the right place, but also just a bit more cautious around what they might want to do with AI and making sure that they’re using AI responsibly. So what we are saying is people, just a bit like Craig mentioned earlier, small proof of concepts, just try it out on something, get your data together, see how it works, see what the value is and then build the case from there to push it a bit further.
Fran: And regulation plays a part in that, doesn't it? If clients are sort of regulated and the expectation is that they'll have answers to these questions, then they're more like, I mean, one sort of anecdotal thing that we've seen an awful lot of is that a lot of our consumer clients are getting into this space. And you wouldn't ordinarily think of them being pioneers, but a lot of our clients in the consumer space are pioneering this sort, this sort of work. And I think that's mainly because of the footprint. You know, they're often global organisations and it's seen as a great way to and an efficient way to manage risks across global operations.
So let's move on to the second question. I can see there. How do you overcome resistance? How do you overcome resistance from teams who are used to traditional compliance processes, especially when you're trying to introduce new technology and meet the needs of multiple stakeholders? I guess that's similar to what you were talking about Emma. Do you do you want to take that one?
Emma: Yeah, I can pick that up. I think Craig’s probably touched on a couple of points. So yeah, so I think it's partly around, you know, involving people early, right, so shaping it, but also getting their hands on the tech and actually kind of kicking the tyres. I think that's just hugely valuable. I think then when it comes to the earlier point around the scope and the design phase, sometimes what we see is, you know, everyone, say risk domain leads, procurement, compliance, finance, come with their kind of shopping list at once, right? And very quickly that can be kind of overwhelming in terms of trying to create this big thing rather than something that's small, tangible and can kind of get to value quickly, as Craig was mentioning earlier.
So I think some of the practical things we've seen work quite well with clients is building those guard rails around design principles to help with that. So yes, everyone is heard and kind of gets their respective asks into the mix, but then how do you prioritise that? How do you start small and grow and let the results almost sell the rest of the business case for broader uses? So I think that is really helpful. And then once you've got that buy-in, that helps when you come to implementation and go live in terms of that change management process and actually getting people to adopt as well. So it kind of covers both the start and the end of the process.
Fran: Craig, have you got anything to add to that one?
Craig: Yeah, we, well, practically we do things sometimes like have some champions as we would call them within. So again, if you're adopting new technology, having a small number of people who again are more exposed to feedback and are more involved, who then go out and tell the rest of the organisation about it. Sometimes pick the most sceptical people on purpose just to, because people think, oh, that person who was very sceptical is now, you know, an avid fan of the technology, then that's very powerful for others to see. So we work with clients and we pick and choose some people as they put them through extra training and get them really involved in it and then allow them to spread the word amongst others. It makes adoption easier.
Fran: Great. OK, perhaps we've got time for one more. Any tips on how we can make it easier to integrate with existing systems processes when adopting compliance technology? It's quite a deep techie question. I don't know whether anybody's got any thoughts on that one. Quite a hard question.
Craig: Well, yeah, integration, there's a question there as well about agentic AI just before that, Fran, so maybe you add the two of them together. So integration is really interesting at the minute between systems because it used to be historically you would have tried to connect the systems all together and usually would have used what was referred to as API connections between those systems to pull data from one to the other.
The use of AI agents now is coming more into play where the agent actually goes between the systems and either is collecting data or bringing data, doing analysis, making decisions, and somebody's also asking about, you know, where we see that going forward. So people have been quite hesitant about full agentic AI, as they should be, because there's a lot of risk. There's a lot of things to consider, things to think through.
At the minute, our clients will be very much still seeing a lot of human involvement, very often throughout the process. You're still getting a lot of value, but there's a lot of human interaction. In the future, the plan obviously is that the agents will think for themselves a lot more. So rather than you telling them exactly what steps to take, you will just tell it what the problem is and it will go, and you will give it access to the systems to go and figure out itself what it should do, what information it needs to answer the question.
So it's a bit scary thinking forward to some of that, but at the minute we can definitely see agents being used, especially in that integration between different systems and bringing information between them. And that, I think, is helping people to connect a number of these systems together now.
Fran: Thank you for that, Craig. Well, look, we're coming up to the to the half hour, so let's start to bring things to a close. As usual, it's flown by a, really interesting conversation. I mean, the things for me that have stood out there are, you know, we've, we've talked about data far more than I thought we were going to. You know, there's a, there's a key point around data, around cooperation, around starting small. But I wondered perhaps just working our way along the panel, just as closing remarks, any observations that particularly resonated with you, Emma?
Emma: I think for me, it's the real opportunity that some of the compliance technology that we've talked about today offers clients, right? So we're at a real inflexion point in terms of some of the new capabilities, with entity resolution being one example, being able to cut through that landscape of different systems that haven't traditionally talked to each other. So, you know, lots of opportunity, equally lots of challenge, but it does feel like a real turning of the tides in terms of the art of the possible. And that's really exciting.
Rob: Yeah, I think, you know, looking at some of the systems you have internally already, some of the, you know, just the data visualisation, data analytics tools that most companies have. But if they, if you use that for your proof of concept just to get started, that's really going to help that shift. And I think as Emma's alluded to, you know, compliance is a key point where they're really starting to get more strategic and become more of a capability to an organisation, not just a control function.
Craig: Yeah, I would have a really good think about which processes currently take the most amount of time for your team and are taking up most of the time during a day. And pick something like that as a use case for an automation or an AI proof of concept. And you'll really see the benefit then of freeing up your team to then do the stuff they've been trained for and the stuff they've got expertise in, spend less of their day doing some of those more manual tasks. So pick something, do it really well and then use that success to do something to do the next case.
Fran: Thank you, Craig. And if people are watching and want to pick up and have a specific conversation, we're always there to and always interested to have a conversation with you. So please do reach out to your usual contact and with that, I think I'll bring us to a close. So firstly, a huge thank you to all our panellists for taking us through those insights, and to all of you for joining us.
Please do visit our Fraud Cast web hub where you'll find all the links to the previous web casts. We do try and keep those to half an hour, so they're a good source to dip in and out of. And please do keep an eye out for our future Fraud Cast sessions and our next session is going to focus on the AI trust agenda. We kind of touched on that one earlier, so quite a nice segue there. And please do let us know if there are any other topics that you'd like us to cover. Thank you and we look forward to seeing you all again soon.
