Model-driven regulatory compliance: A case study of “Know Your Customer” regulations

Modern enterprises face an unprecedented regulatory regime. Industry governance, risk, and compliance (GRC) solutions are document-oriented and expert-driven. Formal compliance checking techniques in contrast attempt to provide ways for rigorous modeling and analysis of regulatory compliance but miss out on holistic GRC perspective due to missing integration between diverse set of (semi-) formal models. We show that streamlining regulatory compliance using multiple purposive models of various aspects of regulations, it is possible to leverage both the rigor of formal techniques and the holistic enterprise GRC perspective. Our contributions are twofold. First, we present a model-driven architecture based on a conceptual model of integrated GRC that is capable of addressing key challenges of regulatory compliance. Second, using Know Your Customer regulations in Indian context as a case study, we demonstrate the utility of this architecture. Initial results with KYC regulations are promising and point to further work in model-driven regulatory compliance.

[1]  Guido Governatori,et al.  Legal contractions: a logical analysis , 2013, ICAIL.

[2]  Jörg Becker,et al.  Generalizability and Applicability of Model-Based Business Process Compliance-Checking Approaches — A State-of-the-Art Analysis and Research Roadmap , 2012 .

[3]  Shazia Wasim Sadiq,et al.  Transformation of SBVR Compliant Business Rules to Executable FCL Rules , 2010, RuleML.

[4]  Vinay Kulkarni,et al.  Toward Better Mapping between Regulations and Operational Details of Enterprises Using Vocabularies and Semantic Similarity , 2015, CAiSE Forum.

[5]  Vinay Kulkarni,et al.  Explanation of Proofs of Regulatory (Non-)Compliance Using Semantic Vocabularies , 2015, RuleML.

[6]  Marwane El Kharbili,et al.  Towards a Framework for Semantic Business Process Compliance Management , 2008 .

[7]  Deepali Kholkar,et al.  Experience with Industrial Adoption of Business Process Models for User Acceptance Testing , 2013, ECMFA.

[8]  Peter Loos,et al.  Towards an Integration of GRC and BPM - Requirements Changes for Compliance Management Caused by Externally Induced Complexity Drivers , 2011, Business Process Management Workshops.

[9]  Ivan Bratko,et al.  Prolog Programming for Artificial Intelligence , 1986 .

[10]  Schahram Dustdar,et al.  Domain-specific language for event-based compliance monitoring in process-driven SOAs , 2013, Service Oriented Computing and Applications.

[11]  Stéphane Faulkner,et al.  An Agent-Oriented Meta-model for Enterprise Modelling , 2005, ER.

[12]  Jan Vanthienen,et al.  Specifying Process-Aware Access Control Rules in SBVR , 2007, RuleML.

[13]  Vinay Kulkarni,et al.  Solving Semantic Disparity and Explanation Problems in Regulatory Compliance- A Research-In-Progress Report with Design Science Research Perspective , 2015, BMMDS/EMMSAD.

[14]  Shazia Wasim Sadiq,et al.  Detecting Regulatory Compliance for Business Process Models through Semantic Annotations , 2008, Business Process Management Workshops.

[15]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[16]  Mathias Weske,et al.  Resolution of Compliance Violation in Business Process Models: A Planning-Based Approach , 2009, OTM Conferences.

[17]  Guido Boella,et al.  Managing legal interpretation in regulatory compliance , 2013, ICAIL.

[18]  Donald Chapin,et al.  Semantics of Business Vocabulary & Business Rules (SBVR) , 2005, Rule Languages for Interoperability.

[19]  Guido Governatori,et al.  Proof explanation for a nonmonotonic Semantic Web rules language , 2008, Data Knowl. Eng..

[20]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[21]  Peter Dadam,et al.  Monitoring Business Process Compliance Using Compliance Rule Graphs , 2011, OTM Conferences.

[22]  Manfred Reichert,et al.  How Advanced Change Patterns Impact the Process of Process Modeling , 2014, BMMDS/EMMSAD.

[23]  John Hall,et al.  Interpreting Regulations with SBVR , 2013, RuleML.

[24]  Michael Rosemann,et al.  Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[25]  J. Wheeler Magic Quadrant for Enterprise Governance , Risk and Compliance Platforms , 2011 .

[26]  Dirk Fahland,et al.  Where Did I Misbehave? Diagnostic Information in Compliance Checking , 2012, BPM.

[27]  Mathias Weske,et al.  Change Propagation in Process Models Using Behavioural Profiles , 2009, 2009 IEEE International Conference on Services Computing.

[28]  Mehrdad Sabetzadeh,et al.  Challenges for an Open and Evolutionary Approach to Safety Assurance and Certification of Safety-Critical Systems , 2011, 2011 First International Workshop on Software Certification.

[29]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[30]  Miguel Mira da Silva,et al.  A Conceptual Model for Integrated Governance, Risk and Compliance , 2011, CAiSE.