This is one of the possible Use Cases.
The World Wide Web is the platform of choice that can deliver a scalable and open access to policies and regulations from various countries, organizations and across all vertical industries. Having an interchange format will enable transparency and traceability as required by standards-based systems as well as communities of users (businesses, research, non-for-profit organizations, etc).
The main focus of the W3C RIF working group is on interchange of rules that are, or will be, automatically applied by technology. Many of these automatable rules are the results of business decisions taken by people in the organizations served by the rules. Some of these business decisions are about reaction to regulations.
There is a need for interchange of rules directed at people as well as for interchange of automatable rules. This use case assumes that a regulated business has a web-based repository or a database of interpreted regulation plus related decisions it has taken about compliance, and interchanged content can be integrated into, and retrieved from, such a repository. Using web standards and technologies to access the repository further enhances the usability of such an interchange format.
An overview of a related, but more complex, case was provided orally at the RIF WG meeting in Burlingame, Dec 2005 by John Hall (OMG) and Said Tabet (OMG).
Cases of this kind currently occur, but the exchanged content is usually provided in text, occasionally supported by flowcharts or decision tables. If the content is formally defined it is usually in legalese - natural language as styled by lawyers to be precise and unambiguous, and often similar to the language used to express the regulations.
The Regulatory Compliance SIG of the OMG is discussing a candidate RFP, which would include within its scope a metamodel for interpreted regulation and related compliance action.
3. Benefits of Interchange
- Enables regulated organizations to interchange shared understanding of interpretation of regulations that affect them
- Enables automated support for comparison of regulations from different regulatory sources
- Enables integration of interchanged regulation into a suitable web repository
- Enables regulated organizations an easy access to regulations published on the Web in a vendor-independent fashion (companies will focus more on the content as opposed to the infrastructure around regulations)
4. Requirements on the RIF
- In addition to providing a format for interpreted regulations, the RIF must provide formats for:
- - Compliance action, with discrimination between minimum mandatory requirements and recommended good practice - Compliance objectives and goals agreed with regulators
- Concept definitions and a default (English) vocabulary for regulation and compliance.
- The RIF format needs to support the expressiveness required for the representation of regulations (both conditions and actions)
5.1. Actors and their Goals
- Regulated Financial Organization: wants to meet its compliance obligations with minimum impact on its business and minimum risk. One important aspect of compliance is to be able to demonstrate compliance on demand – i.e. compliance is not just a defence when things go wrong. It must be demonstrable when things are going right. A corollary of this is to defend the decisions made and actions taken when found to be out of compliance – acting in good faith (e.g. as suggested in the USA sentencing guidelines) can have a substantial mitigating effect.
- Regulators: want to ensure that regulated organizations comply with their regulations, and can demonstrate their compliance.
- National Advisory Group on privacy: represents its members (regulated organizations) within a country, across multiple industries. Negotiates with regulators on data protection and privacy, ranging:
• From: clarification of the regulator’s intent: “If our members took the regulation to mean this … would you agree that it is an acceptable basis for taking decisions about action?” • To: agreement on acceptable compliance: “If our members did this … in response, would you accept that it is acceptable action for compliance?” Provides the results to its members in both push and pull modes, using the Web as a distributed standards-based platform.
- Financial Industry Group: analogous to the National Advisory Group on privacy, but represents its members (regulated financial organizations) in negotiations with regulators on financial controls and reporting.
5.2. Main Sequence
- A data protection regulator updates legislation on disclosure of personal details
- The National Advisory Group on privacy negotiates with the regulator and agrees interpretation of the regulation, some recommended rules and a new monthly report. It then distributes the results to its members and makes them available on the Web (accessible only by its members).
- The regulated financial organization inputs the interpretation and recommended actions into its web repository. It finds no conflicts, decides what it wants to implement, and records it decisions in the web repository.
- A financial regulator updates regulation on reporting transactions that might indicate fraud or money laundering
- The Financial Group negotiates with the financial regulator and agrees interpretation of the regulation, some recommended rules and several kinds of alert. It then distributes the results to its members using the Web.
- The regulated financial organization inputs the interpretation and recommended actions into its web repository. It finds a conflict with its privacy compliance policies. The results (conflict reports) are immediately submitted to the regulator.
- The regulated financial organization decides on a compromise between the conflicting requirements. It extracts two versions of it, and sends them to the privacy and financial groups for advice.
- The privacy group says “OK”. The financial group suggests and improvement, using an updated version of what it was sent.
- The regulated organization accepts the advice, updates its repository, including the explanation for its decisions
- The regulated organization outsources its help desk to another country. This brings the company under the regulation of transfer of personal data across international borders. Interpretation of this regulation has already been negotiated and is accessible on the Web in the interchange format.
- The regulated organization goes to the National Advisory Group on Privacy to request the interpretation of the new regulations and to assess their impact.
5.3. Alternate Sequences
Alternate 1: As in Main Sequence up to step 6.
Step 7: The regulated organization cannot find a compromise that meets all regulatory requirements within an acceptable timescale. It decides on the lowest-risk course of action and prepares its case for justifying why it could not comply. It records its decisions on how it will achieve full compliance and by what dates.
Alternate 2: As in Main Sequence up to step 9.
Step 10: The regulated organization acquires a competitor. This breaks anti-monopoly regulation and it has to divest itself of part of its operational business. This means that the body of interpreted regulation in its repository has to be reassessed. Part of the resolution requires sending possible solutions to the National Advisory Group on Privacy and the Financial Industry Group for comment and advice.
The essence of this use case is that the processes cannot be fully automated. They require assessments and decisions by people in the business. But these people require automated support for analysis and decision-making and interaction with authoritative web sites for recommendations and guidance.
Once these decisions have been made there are opportunities for automating the execution of the decisions, and this is where mappings will be needed to executable rule representations.
The World Wide Web is a distributed and scalable platform enabling access to regulatory information by various actors in a platform-independent fashion. This use case provides another step forward towards the availability of information on the Semantic Web. We can relate this work to a new generation of policy systems that will make the Policy Aware Web (PAW) as introduced in various publications such as the following [www.w3.org/2004/09/Policy-Aware-Web-acl.pdf]. This use case defines the need for interchange at various levels, particularly the business user level and the automation level (implementation rules). This scenario reinforces the idea of the availability of rules and policies on the Semantic Web, as argued by Tim Berners Lee and the W3C at the 2005 W3C Workshop on Rules http://www.w3.org/2004/12/rules-ws/. Sharing regulations is key for transparency and traceability and an interchange format is a requirement. We can relate this use case to other use cases dealing with reasoning on the Web, e-Commerce, negotiations, and any use case where the availability of data requires strict guidelines.