IBM - International Business Machines Corporation

10/30/2024 | News release | Distributed by Public on 10/30/2024 07:20

IBM watsonx Platform: Compliance obligations to controls mapping

US regulators including the Office of the Comptroller of the Currency (OCC), Securities and Exchange Commission (SEC), Federal Reserve Board (FRB) and others mandate financial services organizations to prove that laws, rules and regulations (LRRs) are covered across their risk governance framework. This oversight helps ensure a secure and sound control environment that aligns with the organization's risk tolerance and heightened regulatory standards.

However, interpreting banking regulations can be complex and subjective, requiring expert judgment to determine applicability to specific sections of a law. Banks often rely on third-party vendors to review LRRs and generic controls based on the bank's characteristics, such as being a Global Systemically Important Bank (GSIB) or offering specific products and services.

Moreover, LRRs and other industry frameworks, such as the National Institute of Standards and Technology (NIST), Information Technology Infrastructure Library (ITIL), and Control Objectives for Information and Related Technologies (COBIT), are constantly evolving. This continual progress requires nonstop efforts to help ensure that the organization does not have gaps in their control environment. Unfortunately, the manual process of linking LRRs to policies, standards, procedures, risk metrics and controls is time-consuming and often delayed. This process leads to a gap between regulatory expectations and the organization's ability to demonstrate adherence to LRRs.

For example, a bank can have a policy that states that customers' personal information must be protected, and the standard might require encryption of personal data. In that case, the procedure would outline the steps to encrypt personal data, and the control would help ensure that personal data is encrypted. However, if there is a lag in updating the linkages between LRRs and controls, the bank might not be able to demonstrate adherence to the encryption standard, putting them at risk of noncompliance.

The watsonx Regulatory Compliance Platform reduces manual effort for control owners, compliance, risk and legal teams.

IBM watsonx™ can be used to automate the identification of regulatory obligations and map legal and regulatory requirements to a risk governance framework. This solution supports the validation of adherence to existing obligations by analyzing governance documents and controls in place and mapping them to applicable LRRs. Leveraging this technology can significantly reduce manual effort for audit, compliance, risk, legal, IT and business control owners to create and maintain LRR libraries.

For example, Watson Discovery can proactively crawl the internet to look for regulatory amendments for a specific set of LRRs, performing an impact analysis. In a conversational manner, Watson Assistant can be used as an interactive question and answer advisor to respond to regulators, audits or external inquiries about the risk and control environment. Large language models (LLMs) are becoming an integral part of a risk and compliance program, and they require little to no training.

LRR and governance data is enhanced with the LLMs hosted in watsonx to apply the banks various process, risk and control taxonomies. Through a programmatic method, an obligation is evaluated by a prompt. For example, all the organization's risk categories such as strategic, reputation, wholesale credit, interest rate and liquidity would be tested to see what is applicable. The enhanced metadata supports the matching categories to internal controls and other relevant policy and governance datasets.

The process is consistent and repeatable across regulations where the content is publicly available, whether from third parties or curated by the organization in an obligation's library. Mapping and coverage capabilities are not limited to LRRs and include IT and cybersecurity frameworks such as NIST, ITIL, COBIT, Cloud Security Alliance Control Matrix, Federal Financial Institutions Examination Council (FFIEC) and others.

For instance, if a bank wants to ensure adherence to the NIST cybersecurity framework, the solution can map the relevant LRRs to the corresponding NIST controls, providing a clear and comprehensive view of the bank's cybersecurity posture.

How the watsonx Regulatory Compliance Platform accelerates risk management

The watsonx.ai™, watsonx.gov, and watsonx.data™ components of the platform are advanced artificial intelligence (AI) modules that offer a wide range of advance technical features designed to meet the unique needs of the industry. These components are built on top of IBM's leading AI technology, and they can be deployed on any cloud and on prem.

Within the IBM watsonx.ai platform, users can engage in the comprehensive lifecycle management of generative AI (gen AI) solutions, encompassing training, validation, tuning and deployment procedures. Leveraging foundation models provided by IBM and other sources, watsonx.ai facilitates the exploration of expansive language models, catering to diverse natural and programming language use cases.

The platform incorporates the innovative Prompt Lab tool, specifically engineered to streamline prompt engineering processes. Through the utilization of predefined sample prompts, users can swiftly initiate their regulatory and compliance projects with confidence, subsequently storing successful prompts as reusable assets or notebook entries.

Notably, the prompt text, model references, and prompt engineering parameters are meticulously formatted as Python code within notebooks, allowing for seamless programmable interaction. Furthermore, watsonx.ai offers the Tuning Studio feature, empowering users to iteratively guide foundation models toward outputs better aligned with their specific requirements.

Through the integrated suite of tools offered by watsonx.governance™, users can expedite the implementation of responsible, transparent and explainable AI workflows tailored to both generative AI and machine learning models. Upon installation, watsonx.governance amalgamates the functionalities of Watson OpenScale and AI factsheets, alongside the Model Risk Governance capabilities inherent in OpenPages, consolidating them into a singular service.

Additionally, watsonx.governance extends its governance provisions to encompass generative AI assets. This platform empowers users to assess foundation model prompts and machine learning models, construct AI use cases for the systematic tracking of solutions addressing pertinent business challenges and engineer workflows while monitoring lifecycle activities with precision.

IBM watsonx.data facilitates scalable analytics and AI endeavors by accommodating data from diverse sources, eliminating the need for migration or cataloging through open formats. This approach enables centralized access and sharing while minimizing extract, transform and load (ETL) processes and data duplication. Integrated vectorized embedding capabilities streamline data preparation for various applications such as retrieval augmented generation (RAG) and other machine learning and generative AI use cases.

A gen AI-powered conversational interface simplifies data discovery, augmentation and visualization without SQL proficiency requirements (currently in technology preview). Seamless integration with existing databases, tools and modern data stacks help ensure interoperability.

Overall, leveraging watsonx for regulatory compliance offers a transformative approach to managing risk and AI initiatives with transparency and accountability. By harnessing its comprehensive suite of capabilities, organizations can seamlessly navigate the complexities of regulatory requirements. This helps ensure responsible AI practices at every stage of the lifecycle, from model training to data management. watsonx empowers users to confidently assess, monitor and optimize AI workflows, facilitating compliance with regulatory standards while driving innovation and trust in AI-driven solutions.

Managing risk and compliance with Governance console in IBM watsonx
Was this article helpful?
YesNo
Senior AI Engineer