Four Steps to Achieving Digital Compliance

The historical perspective

Historically, contracts for the provision of financial products and services were verbal, relying on trust. But we have come a long way from the early days of the London Stock Exchange and maritime brokers where contracts were made with no exchange of documents or written pledges. For many reasons, this informality became impractical:

  • The sheer volume of transactions and the growing complexity of the products & services

  • The desire of customers to have the reassurance of knowing exactly what the product or service was and the cost

  • The courts want evidence of the existence and terms of a contract

  • Business must know what its liabilities, duties, and obligations are

  • And more recently, regulators require that all the necessary information and disclosures are given to the customer – and want proof (if it’s not written down, it didn’t happen)

The way businesses handled the need for proof was to write down the basis of the contract (terms & conditions, brochures, key features, etc.) and keep a record – initially as paper, and as images later as the volume of business grew. As the phone became an additional channel, calls were recorded to supplement the audit trail of proof.

To make sure that business was being conducted in accordance with the rules and regulations, compliance undertook routine monitoring and reviews of the records to provide independent assurance that things were in order. In the event of a complaint or dispute, the records would be inspected to establish exactly what was said, what information was provided, if the customer was given all the details of the product or service, and if they were informed of the risks.

Regulators, auditors, and courts monitored the conduct of the business to ensure compliance with the rules.

The advent of digital

With the advent of digital, a new set of challenges and opportunities have arrived. Digital has enabled the development of ever-increasing sophistication in the assimilation and analysis of data, which enables businesses to personalize the digital customer journey to the point where (theoretically, at least) no two customer journeys are the same.

The diversity of devices and browsers by which customers access information about products and services further increases the challenge of knowing exactly what is happening; if you don’t know what is happening, how can you be confident that you are compliant?

The opportunities and potential enabled by digital are enormous:

  • Content can be personalized to individual customers – they would only see what is appropriate and relevant to them

  • The customer journey can be interactive and responsive to what the customer wants based on the information provided by the customer; AI can create and drive the process

  • The customer is in control of the process and can determine when and how they will interact with the business

  • Products and services can be tailored to each customer’s needs and circumstances

But if the opportunities are enormous, so are the challenges and risks:

  • If the information given to each customer is specific to that customer, how can you be sure that you know what each customer is being shown – and can you prove it?

  • If every session is unique, do you need to monitor every session automatically?

What does this mean for compliance?

Digital presents a significant challenge for compliance to be able to effectively monitor what is happening and provide the business with the reassurance that regulatory obligations are being met.

With the advent of digital, many organizations appear to have adopted a different standard of record-keeping from what has traditionally been done for paper-based or phone-based operating models. Notwithstanding that the regulators (such as FCA) state that their rules and regulations are intended to be media neutral, some organizations appear to be relying upon a lower threshold of evidence about the information provided about a digital journey than they would have done for a paper journey.

For example, in the paper-based world, organizations would typically keep a copy of the brochure, the terms & conditions, the application form, key features, fact finds, and other correspondence in relation to a sale. Additionally, organizations would retrospectively monitor the sales process to ensure that all the necessary information had been provided and that the correct process had been followed and all the necessary warnings, caveats, and authorities had been recorded. In the event of a complaint or dispute, the organization could produce the original documentation (or images of it) to prove what had happened at the time.

But in the digital world, many businesses rely upon retrospectively collating data from a myriad of sources to try to recreate the digital journey that a particular customer should have experienced; at best, this solution is likely to give a partial view of what happened with an element of doubt as to exactly what did happen online at the time. In addition, organizations may not be able to monitor the process effectively, so they cannot be confident that there is no customer detriment.

If businesses do not know what their customers are experiencing and cannot prove what happened in any and every digital interaction, they will struggle to prove that they are complying with all their regulatory obligations.

It is also often the case that the way digital channels are managed is fragmented. Individual functions have responsibility for part of the overall operating model and rely on separate sources of information which relate to their specific area of responsibility.

For instance, IT may have several data sources relating to network or server performance, while marketing may be using a quantitative analytics package to measure drop off rates in specific customer journeys; each data source is providing part of the story but there is no one overall view of what is happening – and more importantly why it is happening and how to fix it.

How can you capitalize on the opportunities digital presents while making sure that you are complying with your regulatory obligations?

The development of digital channels, especially around the delivery of regulated products and services has been relatively slow. One of the reasons for the slow take-up rate has been concerns over the issue of digital conduct risk. The issue is in part practical – how can you keep track of the volume of sessions on your website, monitor the activity, keep effective records, and ensure that all the regulatory requirements are being complied with?

The answer is to use an innovative record and replay solutions that give you capabilities equivalent to what business has for paper-based and phone-based channels – a solution that captures everything that happens on your website, monitors & analyzes what your customers do, and alerts you automatically to events that you need to know about.

Step 1: Record every session

The first step has to be for organizations to record every session from every visitor to your website – not as a video, but as data so that you can use automated tools to monitor and analyze activity.

The data needs to be indexed so that it can be interrogated and analyzed as and when required in response to events, without the need to tag every piece of data you may want to analyze. The data needs to be capable of being sliced and diced as required. You don’t know what you are going to want to analyze in the future and you want to be able to carry out retrospective analysis.

You need a solution that is designed for data-sensitive environments to ensure you can comply with all the requirements around data privacy and data protection. The data must be secured, be encrypted, and access to the data must be controlled to comply with GDPR requirements. This will enable all data, including personally identifiable information (PII), to be recorded and access controls must ensure that only those who need to see the data can access it.

Data should be time-stamped and should be tamper-proof with a full access log to ensure that the data is secure and that it can be used forensically. Data security and full disclosure of the fact that data is being collected and retained in accordance with a compliant data retention policy is a fundamental requirement.

By recording the data from the customer’s perspective, compliance professionals will be able to see the process the way the customer experienced it, regardless of the degree of personalization of the content or the journey – similar to the way they can listen to phone recordings to establish that all regulatory requirements have been covered.

The solution also needs to collect details of the device, browser, and operating system so that the data can be replayed as a session exactly as seen by the customer at the time – even if it was years in the past. This obviously means storing significant amounts of data; to be able to do this economically, the solution needs the ability to aggressively compress the data while keeping it easily accessible.

Step 2: Monitor every session

With millions or billions of sessions every month, organizations need the ability to automatically monitor all activity and be able to set up real-time alerts that automatically identify sessions where specified, unexpected or suspicious events occur; what needs to be flagged will vary from sector to sector, country to country, but generically it could be things like:

  • Customers spending more than X minutes or less than Y seconds looking at terms & conditions, indicating that they may not have read them properly or may be struggling to understand them

  • Customers who go back and forth between pages indicating that they may be confused

  • Customers browsing the website on multiple tabs in the same browser, possibly indicating a potential fraud or suspicious behavior

  • Sessions where the products chosen by the customer at the end of a process are not consistent with earlier advice or information provided.

The solution should give organizations the option for compliance, marketing or the contact center to be able to:

  • Co-browse and watch sessions in real time

  • Send an automated response – an automated message, a phone call, initiate a web chat, etc.

  • Export the data for integration in data lakes for subsequent analysis

The solution should have machine learning (ML) capabilities so that over time, it will identify patterns that fall outside the expected outcomes, further enhancing the effectiveness of the automated monitoring.

Compliance should be able to develop dashboards that provide the appropriate management information to the organization on the current status of compliance and flag areas of emerging concern. To ensure that senior managers are in touch with what is happening on their digital channels, they should be able to replay sessions as experienced by customers – especially sessions that are the subject of complaints or disputes.

On the usability level, you need a solution that provides automatic insights into the customer journey and highlights where & why customers are struggling, giving you actionable insights and data to solve the root cause of the problem. Rather than have numerous discrete systems that provide data to individual functions, what is needed is one solution that can be used across all functions that facilitates collaborative working to solve issues.

Step 3: Help vulnerable customers

Unlike other channels (paper, phone), digital offers organizations the ability (if you have the right technology) to see everything the customer does, to monitor every journey, and identify customer behaviors that may be indicative that a customer is struggling with understanding the product, the service, or just how to access and use the website.

Monitoring every session as described in Step 2 gives the compliance function the information and ability to be alerted to individual customers who may be vulnerable, allowing the organization to decide upon an appropriate response or additional support to ensure that the customer understands what they are doing.

Increasing automation, the development of digital channels, and the use of contact centers can make it more difficult to identify potential vulnerabilities. As an example, if the solution is able to identify a session in real time where the customer is exhibiting behaviors which are a cause for concern, a contact center agent could establish a link with the customer and co-browse the session and provide additional support.

Learnings from one session can be used to set new alerts so that over time, the organization is able to refine the approach to identifying and helping vulnerable customers using behavioral analytics.

Step 4: Review and investigate

Inevitably issues will arise from time to time:

  • Governments & regulators are going to want you to undertake reviews or investigations

  • Senior management may want additional reassurance about a specific class of business

  • Compliance may decide to proactively investigate a tranche of business in response to market developments

  • Fraud investigations

  • The ombudsman may demand information in response to a complaint

If you have all the data and if it has been indexed, you will have the ability to rapidly undertake reviews and investigations when required – not just reactively, but proactively because as a responsible organization you become aware of something that isn’t right. The ability to interrogate retrospective data means that you can undertake the immediate identification and analysis of all relevant sessions to highlight trends, patterns, outcomes, etc., report findings, and carry out remedial actions as appropriate.

This ability to undertake reviews and investigations instantly without the need for specialist resources to access the data provides a powerful and cost-effective tool for internal and external audits to provide the necessary assurance about the effectiveness of controls.


By deploying the right solution that captures everything that happens on your website, monitors & analyzes what your customers do, and alerts you automatically to events that you need to know about, you can ensure that you are:

  • Maintaining all the required records

  • Monitoring all activity

  • Responding to events as they happen

  • Able to undertake reviews and investigations rapidly as required

  • Equipping your compliance team with the tools to ensure that you are meeting your regulatory obligations