Online Compliance Systems

By Viking Kwok, 

In the last decade, lawyers all around the globe have been attracted to several main areas of technology in improving their work: hypertext, text retrieval and inferencing systems.

They have been invaluable in contributing to the computerization of legal resources, the results of which can be seen in their applications, such as, legal web sites, web-based case management systems and rule-based inferencing systems for the administration of law.

More recently, there has been a hot area of development - online compliance systems. Strong interest from consumers of legal services and products has lead to the development of a multitude of compliance systems, including:

Acuiti and Law of the Jungle's Better Business Program;

Blake Dawson Waldron's ("BDW") Self Administered Legal Training ("SALT");

CCH's Online Compliance Training;

Gilbert + Tobin's ("G+T") SherpaOnline;

LAWLEX's Compliance Toolkit; and

Minter Ellison's SAFETRAC.

Although online compliance systems is a thriving area of progress, they have failed to receive widespread attention. This paper will seek shed some light on this area by analyzing aspects of compliance systems that affect their ability to perform as a useful technology within the legal system.

Compliance in the modern state

The rapid growth of the compliance industry worldwide suggests an increasing reliance on compliance-based regulation. This is consistent with the growing body of academic theory and studies which argue that the role of the "contemporary state is to govern by 'the devising of forms of regulations which permit and facilitate natural regulation' (Gordon, 1991, p19; see also Garland, 1997)".

This new approach in public policy recognizes that regulation is in competition with other forms of social controls and the optimal course of action is for the state to 'steer' and not 'row', as to prevent inflexibility and regulatory inflation. In certain circumstances, the persuasive and cooperative elements of compliance-orientated regulation are necessary to complement the deterrent-based systems of prosecution and punishment in order to have effective execution of policies. In particular, where businesses realize the need to develop a long-term relationship with regulators, a compliance method of governance which is internal and proactive will be more successful.

Importance of compliance

The academic theories on compliance are not far-fetched ideas detached from reality. There has been a significant push by courts and the legislature to encourage compliance programs. In TPC v TNT Australia Pty Ltd, the court affirmed the decision in Trade Practices Commission v CSR in the importance of compliance programs as a mitigating factor in assessing damages:

"Whether the company has a corporate culture conducive to compliance with the Act, as evidenced by educational programs and disciplinary or other corrective measures in response to an acknowledged contravention."

The more recent case of ACCC v Rural Press Ltd not only confirmed the above principles, but further encouraged the use of compliance programs by allowing the implementation of compliance programs after a breach of the Act to be considered as a mitigating factor when determining the penalties. This is in harmony with the ACCC's policy on leniency which considers whether a corporation "is prepared to take immediate steps to rectify the situation and ensure that it does not happen again"

Recently, legislation has raised the increased need for compliance, an example of which would be the Criminal Code Act 1995 (Cth) that lists compliance programs as a factor to take into account when assessing for liability. In addition, there is growing necessity for the use of compliance programs under some areas of law such as: privacy, trade practices, discrimination and harassment, financial services and Goods and Services Tax ("GST").

Compliance Systems - Benefits, Elements and Objectives

A compliance program is defined simply as a "system designed to reduce an organization's risk of breaking the law". Sections 2 and 3 of AS 3806-1998 describes a number of structural, operational and maintenance elements that form a compliance system. It is clear from the Standard that compliance is a matter to be implemented in a holistic approach, and that compliance systems are not programs that are merely tagged on to business processes without significant commitment and investment. This is an important observation to keep in mind when considering role of online compliance systems.

Given the position of the courts and policy makers, it is vital for businesses to prevent breaches of laws. In particular, effective compliance programs will:

Prevent, identify and respond to breaches of laws;

Promote a culture of compliance; and

Assist the organization in its role as a good corporate citizen.

Successful implementations of compliance systems will yield strong benefits to the businesses, such as:

Minimize litigation risk;

Minimize effect (such as penalties and costs of rectification) on the business in the case of a contravention;

Enhance corporate performance by improving business practices resulting in higher quality good and services - instead of having problems identified by consumers or regulators;

Reduce directors' duties and liabilities;

Protect the reputation of the business and directors;

Minimize government intervention; and

Increase public acceptance of the corporate sector by enabling broader and wider benefits to flow on to the community.

What are online compliance systems

Online compliance systems are applications delivered over the Internet with a view to ensuring compliance. There are two main components of these systems:

1. a training or eLearning tool that teaches a user about the law; and
2. an administration system that allows compliance managers to manage, assess and monitor the level of compliance.

The training tool usually consists of a plain-English compliance manual along with a series of test questions, akin to the traditional lecture and testing method. The administration system documents compliance by generating reports on the results of employees on the various training programs, and sometimes provides additional features to notify users if their compliance level has violated a certain threshold. Keep in mind that the administration system plays a vital role in documenting compliance, which is essential for improving the organization's compliance level, and ultimately, it becomes valuable evidence in court to show the extents to which the organization has attempted to ensure compliance. The administration system renders the task effortless while still being accurate in its results.

These general features have not stopped the law firms in differentiating their products beyond a mere superficial aesthetical sense. Minter Ellison's SAFETRAC has a more traditional approach by having a set of compliance documents which users can more or less browse through at their leisure, similar to a small and easy to read book. This is followed by a tutorial which is a set of multiple-choice test questions based on scenarios. The tutorial will provide immediate feedback and comments on the choice of answers. Once the tutorial has been completed, the users can then attempt the 'real' test which is used to assess their level of understanding.

BDW on the other hand, has created a more linear approach to the learning system. A user must pass through (in a linear fashion) the training modules which include information on the law combined with test questions that also have immediate feedback. Once this training section has been completed, the user can attempt the 'real' test which will once again be used to assess the user's level of understanding. Both Minter Ellison and BDW have implemented the training in an intuitive manner, increasing the ease in which a user can learn about their legal obligations.

The administration module of the products usually consists of several main areas of functionality:

a reporting mechanism used to generate various types of reports on the compliance level of users;

notifications to alert users who are below a certain level of compliance;

user permissions as to allow different types of users to perform different tasks - for example, compliance managers need to be able to edit details of their organization or set compliance rules;

user details so that the system or the manager can identify and contact the users where necessary;

content editing to enable clients to alter the data where necessary;

compliance rules to match the required level of compliance; and

importing of users for managers to automatically transfer a set of users and details to the system.

Perhaps the most vital area of the system for managers is the reporting feature. SALT, for example, has the ability to generate reports on an individual or parts of an organization in relation to different modules. On top of these basic operations, there is usually the ability to compare the reports over time or export them to other formats such as Extensible Markup Language ("XML") or Comma Separated Values ("CSV"). Such functionality can only be delivered through databases.

Why online compliance systems?

The emergence of online based compliance systems is a result of several factors converging temporally. As with most other businesses, products are formulated around consumer demands. In the case of online compliance, the changing philosophy regarding the role of the state has prompted a necessity, particularly for large organizations, to manage their legal risks through compliance.

Equally, law firms saw the need to service their clients much more closely and meet their demands. It was a chance for law firms to serve their clients more comprehensively and enhance customer satisfaction and loyalty. It was also believed that this would lead to increased work from the client, through directly relevant work such as compliance risk assessments or through cross-selling other services. Perhaps an interesting example of the success of the approach was the ability for Minter Ellison to cross-sell their project management services as a result of a client learning about their product and the necessary project management skills needed to develop such a product.

The origin of online compliance systems certainly seems to have stemmed from large corporations, at least in the case of Minter Ellison's SAFETRAC. SAFETRAC was initially developed for Qantas, delivered as part of a complete trade practices compliance program, which included risk assessments and the creation of a compliance policy and manuals. Once it was demonstrated that the technology was effective and efficient, other customers swiftly took up the technology, as did Coles Myer.

Although large corporate clients have generally demanded a strong compliance culture (as it reduced the risk of the corporation), for much of the time, it was not feasible. The cost of developing a high standard of compliance was simply too high. This was perhaps demonstrated in the Trade Practices Commission v CSR case where the defendant had only implemented a very rudimentary program including a compliance manual with very little 'commitment' to the program. No doubt the lack of commitment was a result of a lack of resources - no lectures had been given to staff for over 3 years, nor had the manual been updated for a decade! Indeed, this very same case strikes an important point relevant to the importance of online compliance systems - merely having a compliance program is insufficient; there needs to be a demonstration and commitment as to the effectiveness of the program.

By 1999, the technology had matured to a stage where significant progress could be made on the cost versus return ratio of compliance programs to render such projects commercially viable. The strong growth of the Internet opened up a window of opportunity to reduce the costs of information distribution and management. Minter Ellison, which was originally planning a client-side based software swiftly switched their development platform to the Internet while Blake Dawson Waldron began an Internet-based version of their compliance software after years of distributing a disk-based version.

The Internet offered the ability to deliver an application that was universal in format - that of the World Wide Web ("WWW"). As long as the clients had access to the Internet and had web browsers installed, it was simply a case of maintaining a web server. The improvement in computer literacy enhanced the feasibility of this process immensely. Upgrades to the software could be done by updating the server, without a need to update each individual client computer as was previously the case. This model, the "Application Services Provider Model" ("ASPM"), certainly alleviated many existing management issues that arose for a compliance programs for large numbers of staff.

Furthermore, as Ross Patterson, partner of Minter Ellison in charge of SAFETRAC noted, it was a "nightmare" to administer and assess the effectiveness of compliance programs, particularly for organizations with employees all over the world. An online compliance system meant that corporations no longer had to force their employees to attend costly seminars or training programs. Instead, their employees could flexibly attend to their compliance obligations whenever they were free to do so, and the application would be able to administer the compliance requirements while monitoring the effectiveness of the training. This cut down the costs of running a compliance program but also meant that the quality of compliance could be monitored and improved where necessary.

Another benefit of innovative use of technology is the drastic fall in the average cost per user to access these compliance products. The uniform delivery of the product via the Internet has reduced the costs of distribution to such a stage where the market will take up a more generic but significantly lower cost product. Minter Ellison for example, has redesigned their product to enable organizations of up to 500 users to access their privacy course for $5,000. At $10 per user, this has the potential to expand the market towards the small and medium enterprise ("SME") market, suggesting an improvement of the standard of compliance for that area of the market. Moreover, Minter Ellison has launched an association program where industry groups can subscribe to 'generic' courses for their members. This contrasts sharply with the larger end of the market where complex corporations require a comprehensive bundle of services including risk assessment and a compliance program implementation that involves a high level of customization, increasing the costs.

Technology

As discussed above, online compliance tools are developed for the Internet platform - in particular, the hypertext system known as the WWW. The WWW is an umbrella term for a number of technological standards created by the World Wide Web Consortium ("W3C"). From the humble roots of the first version of HyperText Markup Language ("HTML") in 1992, the WWW has evolved into the current HTML version of 4.01, along with a set of complementary technologies implemented in browsers such as Cascading Style Sheets and the Document Object Model. The development of browser technology is continuous and there are upcoming standards which are expected to dramatically change the landscape of the WWW, such as XML and the highly touted 'web services' concept.

Online compliance systems are web applications based on the employment of the technologies mentioned above. They require browsers which satisfy a minimum level of technology implementation, such as Microsoft's Internet Explorer version 5. A few years earlier when online compliance products were newly released, there were significant issues with browser compatibility issues. This arose because different corporations used different brands and versions of browsers, some of which were not compatible and implemented the W3C standards differently. As such, there was often difficulty in creating a uniform and functional web application to all clients. With W3C standards being applied more rigorously and accurately to the newer generation browsers, this problem is largely historical.

BDW, Minter Ellison and G+T all utilize a Microsoft technology, Active Server Pages ("ASP"), to drive their applications. In addition, BDW and Minter Ellison both use the ASP technology in partnership with yet another Microsoft solution, the database software SQL Server. ASP and the database software are used to run the web application by allowing server-side processing of information, which essentially allows the server to build a web page on-the-fly and dynamically, depending on the circumstances of the request. It is through the use of ASP and a database (as opposed to static web pages) that an online compliance systems can perform some complex tasks, such as monitoring whether users have completed certain training modules, or provide comprehensive organization wide reports on the level of compliance.

The use of the ASPM by the law firms to deliver online compliance systems is a recognition that while compliance needs to be integrated into the clients' business processes, the provision of the parts required for the integration can be outsourced to law firms. Unfortunately, although this removes the need for clients to install and maintain the application, law firms now have to deal with a number of problems that are not core to their traditional businesses:

Maintaining a server and Internet connectivity;

Supporting for the application; and

Security for the data.

There are different responses to these issues. BDW for example, maintains a server by leveraging off the internal IT infrastructure. This is a reasonable course of action as law firms view IT as a core supporting part of their businesses which are internalized and is therefore easily extensible to maintain the servers. However, where necessary, certain functions such as hosting are outsourced.

Product Development

There is a surprising variety in the process of development, for example:

Acuiti chose to partner with the software developers Law of the Jungle;

BDW developed SALT entirely in-house except for the database structure; and

Minter Ellison outsourced development to Digital Zoo and outsourced the eLearning consulting work to Education Image.

These differences reflect the unique circumstances of the law firms. BDW has a long standing relationship with clients for compliance products, and therefore has a long history of in-house development. Therefore, it seemed only logical for them to utilize the years of accumulated expertise to produce their product internally.

Minter Ellison developed their SAFETRAC product to meet client demands, and thus had strict deadlines. This brought the need for Minter Ellison to focus on their core competencies and allow experts in other relevant fields to contribute. As noted by Ross Patterson, the outsourcing arrangements meant that there was more predictability and certainty with outcomes as parties were bound contractually.

Perhaps of interest is the way in which the law firms have tried to service their clients. Both BDW and Minters looked at the possibility of streaming video for the training components of their products, but as the technology was still unable to deliver a quality and cost effective solution, it has not been implemented.

The future

Online compliance systems are already a significant improvement in the way law firms service their clients. Indeed, these products are deviations from the traditional services that law firms offer - which is ironically consistent with the overall trend in the industry. Increasingly, law firms are bundling support services that streamline legal related processes, many of which are in the form of eServices (such as litigation support, case management systems and expert systems).

So, where lies the future for compliance systems? It is clear that in the Australian context, the market is relatively mature and becoming crowded. A complete review of the different systems offered on the market will further enforce this idea as different products perform very similar functions if not use the same technology in some cases.

Technologically, there is unlikely to be significant growth in terms of functionality enhancements that has been experienced in the last three to four years. There will no doubt be a continuous development process (as with all software development), perhaps in moving towards more advanced, interoperable and unified systems (e.g. Microsoft's .NET framework and XML). However, unless there is change to the underlying drivers for compliance, such as the courts imposing different requirements to the compliance process, there is not much more room for innovation in such a developed market.

What is possible however, is the uptake of compliance tools by other areas of the markets such as government organizations and SMEs. This will coincide significantly with the development of laws, which increasingly put pressure on all market participants for some level of compliance. Recent changes in laws such as the GST and the new private sector privacy regime has already initiated the charge of online compliance tools into the SME market.

There has also been a push overseas by some Australian law firms to exploit the untapped markets. This is a particularly prudent move as Australian law firms are renowned for their innovative use of technology and the quality of legal services.

Conclusion

Online compliance systems have made significant ground in the last four years. Their role is of increasing importance as the nature of the state evolves, which demand social institutions to internally bring themselves within the constraints of the law. What is yet uncertain is the real effectiveness of these systems. Certainly, one can make an educated guess at the positive impact these systems will have on corporate behavior, but as compliance is still a relatively unexplored area of legal practice, there is yet to be comprehensive studies on the effect of online compliance systems.

Software

© 2006 FindLaw