The Future of Global HR and Payroll Regulatory Compliance – Automation of Monitoring, Inquiry and Validation

Robert Gerbin CPP

VP Global Payroll Leader at Wells Fargo Bank N.A.

Learning Objectives

Global HR and Payroll Regulatory Compliance continues to top the list of surveys from business leaders. In the past global regulatory compliance management has been a manual and risk laden effort, but as we move forward with innovation and new thinking, organizations now have capabilities and methodologies to greatly increase compliance efforts while increasing the speed to mitigate. This webinar will ask it's attendees not to shy away from challenging aspirational dialog.

Key Takeaways:

  • We are in a state of global regulatory compliance automation transformation as innovation solutions become more availiable and engaging

  • Improving regulatory compliance methodolgies are here today, along with the tools and resources to make a difference

  • Leaders should not shy away from challenging asipirational thinking, rather the challenge should come from just believing it is possible

"I think where the future lies, and this is the blue sky future capabilities, is that this could be scalable across the organization, not just with HR."

Robert Gerbin CPP

VP Global Payroll Leader at Wells Fargo Bank N.A.


Hello, and welcome to the future of global HR and payroll regulatory compliance, where we’ll take a look at automation of monitoring, inquiry, and validation. My name is Robert Gerbin. I am a Global Payroll Leader for Wells Fargo Bank. For the past 25 years or so, I’ve been involved in HR in global space. I’ve looked at working not only within industries, also working as a consultant. I have experience in over fifty countries and implementations on four continents. I’ve had the pleasure to not only work with some of the finest organizations, but also midsize and smaller companies not only working through mergers, acquisitions, transformations, but also having to do with organic growth opportunities, having to do with compliance, audits, and of course, performance and quality management.

Lately, I’ve had a great focus upon innovation and dynamics in an area which I’ve been looking at improving regulatory compliance management through innovation, through artificial intelligence, utilizing natural language processing, and data science. It’s because of the focus for the past couple of years in the area of AI, and improving regulatory compliance aspects for management within organizations.

I’m pleased to talk about the topic of how to use automation, with global regulatory compliance, as well as looking at the leading edge of what we see into the future. The agenda today, we’ll look at the actual problem statement, the challenge to solve, and of course, when we look at the future about utilizing innovation, as it relates to regulatory compliance management. As we get started, let’s ponder a thought and a challenge. I was once in a committee meeting—one of the committees that I’m part of—and the discussion was about regulatory compliance. The fact that numerous surveys that come out, usually the number one response on, not only from a leadership perspective but from organizations, is about compliance and regulatory compliance. The discussion came across as well. What can organizations really do when they’re a large company or they have a large footprint, multiple countries or even multiple entities? When I thought about that, I said, “Well, it’s just the same as a small company, being able to make sure that they’re understanding what’s not only from a compliance aspect, what they should be doing, but also monitoring what regulatory compliance laws that come out and making sure that they’re following through with those.”

If we look from a much larger picture and understand today, we’re probably doing this in a much manual effort, think about having to manage multiple entities across the globe. The challenge was, do you think we could ever do that? I thought, I really believe we can when we look at innovation, and what we’re seeing in front of us, not only from artificial intelligence and natural language processing or robotic process automation. I think it was the challenge that I got scared away from. Personally, I said, I think we could do this. I don’t think we know how to do it just yet, but we could monitor the globe from a regulatory compliance standpoint, and understand what’s important to our organization and move forward.

That’s really what I want us to think about. It’s not the day to day, what we see today, in a manual processes of getting certain regulatory alerts and understanding instead of just looking at maybe 30 or 40 different email sources or data points, what if we’re able to monitor the globe from a regulatory standpoint? Every single one of those key data points of the regulatory nature that may impact each of the legal entities or business structures, what if we’re able to manage those from a standpoint of having a pulse? We understand how quickly we can get the alerts and we increase the speed to mitigation. I think that’s the challenge that I’m really wanting to discuss, because I’m excited about some of the learnings that I’ve had, and I’m looking forward to sharing that. Commonly, organizations might think that one problem is quite different for many different organizations, being a small company or mid size or a large company. The fact is that we all have to follow regulatory compliance—local, state, regional, and country. Regulatory compliance needs to be followed.

I have examples here of payroll tax reporting, permanent establishment, private information management, labor, wage in hour, and employment requirements. All these risks are not just for a small organization or midsize or large—it’s all organizations. When you see risk from a reputational standpoint or financial or brand or operational or employee risk, when we think about the types of reporting that needs to be done, and it’s just not from a legal entity aspect or corporate tax. When you think about the tax reporting—example would be with short term business travel, making sure that if you’re traveling from one state or another, or you move from one state to another, or you’re working in certain states for long periods of time—making sure is the organization reporting correctly or do we have individuals that are traveling and visiting different countries, and they might be starting permanent establishment issues without us knowing about it.

The regulatory compliance nature is really big. I think it’s just not about the fact that organizations need to make sure they’re compliant with regulatory laws, but it’s also about how the organization manages it. Is it important? If it’s important, how do you make that happen? Just also not about policies and practices, they all have to align from one another, and I think that’s where we are today. The fact is, it’s very challenging, or the fact is, we’re focused on our customers and taking care of our employees. Part of the job or the requirements you see in the job description is to make sure, for some positions, that we are compliant with regulatory compliance from state, regional, and country specific scope. It’s in responsibilities of all of us, as each of our organizations, but at the same point, is it really focused on our day to day activities that not only are we doing what we should be doing, but are we really keeping an approach that mitigating risk or any alerts that can come up and how are we handling that. I move through that problem statement, and I continue to work through from a manual process into a much automated program. I understand that there was an opportunity, very fortunate in our organization, that the fact is compliance, and mitigating risk, regulatory updates, and how we manage them. We take a very conservative approach in making sure that we do everything we possibly can to abide by any type of regulatory compliance. We don’t look at something from a risk standpoint. We really move forward and make sure that we are complying with regulatory jurisdictional statute. That’s important to us, as an organization, as it should be, for most. It’s a challenge about how to do that—that’s important.

A couple key points that when we think about we need to address. First is keeping up with the regulatory changes, how fast they occur within an organization that may have hundreds of entities around the globe, not just say, in the US, but around the globe, and the type of changes that are occurring not only from a geopolitical standpoint, but when we look at all different types of impacts from the standpoint, politics, and the nature of where rules and policies and regulations may change, may go in different directions, but the one thing is that they don’t stay the same. They are constantly moving. They’re also meeting different business requirements or look at trends in the aspect from a financial industry aspect. What does that mean? It’s just a very dynamic world that we live in, and such regulatory changes will continue to be in front of us. The other challenge with that is, do organizations really understand all of the regulatory requirements that are required of them? I think that is something that is assumed that organizations understand, but how often do we go back and say, “Okay, are we really doing this?” Maybe there was an update on how a payslip may look like or how do we tell the story from a per diem aspect or where we look at taxable fringe benefit. Are we really knowing what we should be complying to? I think that’s something that needs to be on the forefront of any organization. It’s just not about keeping up with regulatory changes, but it’s also making sure that organizations are focused, that they’re meeting the requirements just on a day to day basis.

The next area to take a focus is the alignment with business risk posture. I think this is really important as the aspect of making sure that any organization is fully compliant from a regulatory standpoint. At the same point, where do organizations exist? If we’re going to be completely compliant across the board, what does that mean from an operational standpoint? Where does the difference per se, in an employee experience, meet the compliance aspect? Organizations strive to make sure that from a regulatory compliance aspect, they are meeting those requirements? At the same time, what does that impact on the organization? Not just from a financial aspect, but just from a cultural aspect, what does this actually mean? You can take a look at something I think I used an example of, and I used it before with multi state tax reporting. Something that I see organizations do is they can either have one or two approaches with multi state tax reporting. The first is, they can have us follow the state statute, and that’s basically saying, it’d be nice if all the states had, from a tax reporting aspect, they were all the same, but they’re not. An organization can say, Okay, no matter what state, we’re going to make sure we report from whatever day one is for that state. If it’s after being there for 10 days, you start to report.

Now, as a business, that could be quite challenging operating in all the states. An organization may say, “Instead of having different states and different requirements, and us managing that, why don’t we take the stance that maybe after 15 days, every state, they will start reporting.” It’s definitely something when you think about alignment from a business standpoint, but it’s also from a risk posture. You can take a look at what we may not have a lot of travelers in one state, and we may not have a lot of travelers in another state. You look at the key states and you know, what does that mean for your organization. Again, it’s about the risk posture. I think that’s important when you think about how you want to approach that and the type of questions that will be asked as you continue to develop a regulatory monitoring program.

The next aspect is complexities of multiple jurisdictions. I covered a little bit before in saying you have a small organization with one entity in one state, or you can have multiple entities in multiple jurisdictions, multiple countries. What this means is that you’re having to monitor the regulatory updates in each one of those jurisdictions. Even with that, you can think about, okay, well, that’s fine from our standpoint. We got 30 countries, this is what we’re doing, we can monitor those. At the same time, you may have different types of businesses. You might have a manufacturing business, so you can see how maybe work councils, work in Europe, and then you look at other aspects of different types of pay that are required, say, for example, some of the 13th pay in Latin America, how does that work? You see these different updates in the type of workers that you have or the type of businesses on top of the complexities of having multiple jurisdictions. How do you manage that? How do you continue to imagine you can think about the aspect of, you know, from a strategy aspect, but also, globally, but you want to think locally that there is some truth to that the local business is really guiding some of those discussions. They should be monitoring the aspects of how things are changing, and also third parties also help with that, say, payroll or tax advisor in that sense, but you’re still having to monitor as an organization—you’re still responsible.

I think the last part—when you look at putting together a global regulatory compliance approach is the speed to mitigate. What does that mean is how fast can you mitigate that risk. How fast can you determine are right now I understand there’s a new taxable fringe benefit that I needed to take care of in Argentina? How quickly can I get into making sure that we are doing that on a day to day basis?

The things to think about, there’s really two aspects to speed to mitigate. The first is how quickly can you identify that there is a need, or there’s a gap. The second aspect of that is how fast once you know it, can you mitigate it? That’s what we’re going to get to as we look at the challenge, and where I think we can look at from an innovation aspect is we can drastically improve the fact of how quickly can we be notified, because that thing gives us a little bit more leeway on how long that may take us from a business perspective to mitigate it. Now, actually, I think about the future and both the speed to identify it and to mitigate it can drastically be increased by actually formalizing the process. That’s something that we’ll look at as we move forward.

Now, the [inaudible], and this is where and that discussion at a committee meeting, whether it was raised well can you really monitor the globe in an on demand environment from a regulatory nature. Some people said they don’t think that’s ever going to be possible. Why I think that position is being taken is because of what I call the high risk model that we utilize today. If you’re operating in an already high risk environment than in a very manual process, it’s very difficult for those same people to say, Okay, well, how can they leap into some state of innovation, or some state of a more automated aspect of regulatory compliance, that I’m utilizing a artificial intelligence or I’m utilizing new tools to make this happen? I think that’s the challenge part, that’s the solve. It’s today, when you think about the processes to make this happen, can you go to your organization and say, “Can you give me the standard operating procedure for managing regular regulatory compliance management? Do we have that?” Most often, I haven’t seen it. We get these email alerts from different providers. We go to conferences. We have publications, periodicals, and then we take it from there, and then we talk to our technology or our tax groups or benefits or HR, and then we move forward. With [unintelligible], there’s no formalized SLP for making that happen. How well can you improve on something when there’s something that doesn’t exist? Today, you can’t really think about it because it’s just not formalized. That’s a really good start to move forward in.

I think the other is the duplication of accountability across lines of businesses. The larger the organization, you’ll find that there’s the same job being happening in multiple areas, but they’re just focused in a different area. You have resources that are focused on regulatory compliance, but some might be focused on payroll tax, some might be focused on wage and hour, some might be focused on health, employment tax, legal. The fact is, that most often, there’s duplications across the organization all focused in different areas. The problem with that is that there’s going to be a working assumption that someone may already be doing this. if you get something like, “Oh, this is tax,” and an organization or a group might say, “Okay, well, I’m in benefits, but I think this is tax.” What they always say, “I forward it to the tax team,” and say, “Hey, do you have this?” or through the HR team, or the payroll team, or they’ll just say, “Well, it’s a payroll thing,” so the payroll team must have it. That is not a recipe for success, and it’s very high risk, and that’s what we see today. Is there any type of process that says if I get a regulatory alert that’s maybe having to do with employment tax, and I’m residing in benefits, where’s the process that tells me I need to go send it to a specific person or a specific group? Very high risk. Very manual.

The further onto this is the lack of quality assurance and controls to detect those gaps. If you don’t have a standardized process, you’ve got multiple people doing multiple things. How do you know where there’s gaps? How do we know where we’re missing things? That is key, if you’re out in a very heavy regulatory environment, or you’re being put under audits on a regular basis to make sure that we don’t have those gaps. Are we making sure that we are doing what we should be doing? Maybe a manager and a certain region, are they doing what they should be doing? What controls are we putting in place to make sure that we’re mitigating the risk? Non-dedicated resources focused on regulatory compliance, then you’re going to say, “I can’t really afford to put dedicated people on this. This is the responsibility of leaders and managers to make sure that we are compliant. We’re following the laws and the rules and regulations that we’re supposed to.” Now, that is true, but again, if you think about the fact is, if you’re saying, “I’m busy focusing on my customer, but I can’t put all those dedicated resources at the same time, making sure that I’m fully compliant, especially monitoring for a large entity across different jurisdictions.” Maybe you’re only in a few states—that’s still some management—maybe in the US or even globally.

If you look at all the different organizations that are trying to make sure they’re compliant with regulatory requirements, it’s even more important to say we don’t want duplication of efforts. Maybe let’s have one team and they’re dedicated to do this across the organization. The problem even with that is making sure that there’s a process set in place that has the right subject matter experts to determine what regulatory impacts one group and where it does another. That’s what I think artificial intelligence and natural language processing, it no longer is a working assumption, it’s no longer subjective of somebody determining within legal, “Is this a payroll tax issue or is this a compensation issue?” I’ll send them to both, I may send them to one or I may send to none. The ability to set a model and determine—the ability to make sure not only from a dedicated resource side, but making sure even with those resources are understanding why something may go.

Lastly, when I look at the high risk model is, just utilizing email alerts from third party services, I think that’s the low hanging fruit. Most organizations that are out there that help with regulatory management will send alerts. They do that quite well. They put huge teams and resources toward making that happen. The fact is, it’s about the whole picture. It’s how fast can we identify. You’re already putting yourself behind if you’re relying on say, periodicals to come out, or I get the the magazine of my industry and I’m waiting for that to come out, or I do get these alerts, so I have quarterly reviews. Again, you have to make sure you are notified as quickly as possible when these changes are occurring. Any delta from that is putting you already behind the ball. It’s important to think about how quickly can we move into the future. That’s where we get the high risk opportunities that we want to move forward to, when we look at what I call realization of aspirational dialogue.

From this, I think about what can we do and how can we challenge ourselves to make this a success as we move forward? I think it’s important when I think about aspirational dialogue, is there some great individuals in organizations, great leaders, and they talk a lot about the aspirational dialogue, “Wouldn’t it be great if we did this? or “That’s a great idea, we can do that,” but the realization aspect is what’s important. I think from an innovation perspective, is that there’s a difference between what we do today and not knowing how to solve the gap. It’s what I call solving for the [inaudible]. How do I get from where the high risk model is today, over until the aspirational dialog, when I don’t understand what the solve is? I don’t understand how to gap that. I don’t know the tools that I needed to make that happen. Sometimes, you don’t need that. What you need to think about is what is the environment that we want to live in, work in, and greatly move forward as an organization from a transformation aspect, and I think that’s what’s important.

You see some of the realization of aspirational dialogue here to the right, and we’ve talked about some of these things. I think the most important aspect is to think about if I want to realize something, I may not understand how to get from the high risk model over to where I want to be, but that’s okay. The thing is you need to think about not just the obstacles or how do you get there, but making sure that you understand that the first asking the question is what’s important, and that’s where I’ve gone. I’ve looked at the areas. I learned more about artificial intelligence. I learned more about what I find myself having to do in the areas of say, natural language processing, robotics, or RPA in data science. When we look at specific new tools that are coming out in these areas, how do we apply those as we move forward? I think that’s the first thing is ask the question. When we look at the future, and the future is this is what I’ve been getting to. How do you get from that state of a manual process of those high risk into the area where utilizing next generation tools?

First of all, important to remember that when we look at today’s path, the regulatory compliance governance or management. You’ll look at it in these boxes, the first you’ll see is the monitoring. You’re monitoring the regulatory landscape, you get those email alerts, getting the publications. You’re doing the very best you make sure that you’re having great visibility to things that you need to know. You inquire is after you think about, Okay, I have a monitor. I see something. Now, I need to inquire. Do we do this or do we not do it? This might mean reaching out to other people in the organization. How do we do that? Again, that’s a manual process. It’s subjective. Even if someone says, “I understand that possibly this is a compensation issue for Canada. I need to send out to the Canadian HR person to get this back.” Can I make sure that they’re validating? That gives us the next step, so we’re inquiring. The problem though is now we’re counting on somebody else that may say, “I think it’s important or I don’t, or it might not be important today, it could be important tomorrow,” or they might just not even care, “I got other things to do. There’s more important things to do.” Maybe it doesn’t funnel its way to the top, so the validation then becomes very difficult. In effect is from a risk standpoint, I’m validating. Now I can get something that comes back from somebody and they said, “Yes, by the way, Robert, we are compliant on validating the fact that we now make sure that we’re adding lunch breaks and just additional break per the new law that came out. We can validate that because we do see we did a configuration in the timekeeping system, and this can be validated.” I think there’s some complexities to it. There’s also the validation of someone saying, “Yes, this is what we do.” I think that’s where we start to get a little bit in trouble, so we need to make sure that from risk position, are we just not taking the word of somebody, but how do we actually validate it from a system standpoint, or from a policy or practice. Show me that. Where does it sit with truth? I think that’s important.

The last step is to mitigate. If we find out that we have a gap, we want to go ahead and mitigate it. I think from a leadership perspective, I see where the gap is, because as a leader, I’m saying, All right. I hope they’re monitoring out there. They’re going to inquire, they should validate, but am I sure they’re going to mitigate the risk? If it’s something that a pay slip needs to be updated or something from wage and hour needs to be updated, how do we mitigate that? Not just from a business standpoint or from a risk or compliance standpoint, but from a business standpoint. I think understanding that we’ve mitigated it is important. Not only with that, but when you look at from metrics and from quality assurance, impact. You can look at different types of metrics to say—and I think this is really important is how fast did we identify something that we needed to to verify it? How fast did we do that? How fast did we mitigate it? How complex was the process to make this happen? We found out about it very quickly, but because of the red tape, and the amount of internal hurdles that we need to go through to get something done, we were not able to maybe do something quick enough that we really wanted to. We couldn’t really get that regulatory compliance date faster than we wanted to. That’s the type of data that, from a manager standpoint, being brought up to leaders and saying, I think we’re okay. We really have some internal ways of doing things. I think organizations are turning to things like agile and other aspects to work quicker, but I still think it’s important to think about regulatory compliance in the area of monitoring, inquiry, validate, and mitigate.

Here’s where I’m very excited about the work that I wanted to share, because this is where we move into the next generation. This is where the enhancement in artificial intelligence, and again, RPA, and other aspects of moving forward into automation is right for us to move. I have a saying, I called teaching fish to eat fruit. That is really thinking about how can we hit the low hanging fruit, but at the same time, how do we teach ourselves to do something different? That’s where I look at what we can do today. What we can do today is utilize artificial intelligence and natural language processing to start monitoring hundreds of regulatory compliance data sources, both the email alerts and screen scrapes of actual regulatory updates that are occurring. Instead of just signing up for different vendors that provide service—and you maybe have 30 of those that you’re counting on that provide emails—artificial intelligence will not only be able to monitor those alerts that come in, but every data point that we give it. We look at focusing on regulatory compliance, websites, different pages, different areas of wage and hour from an employment standpoint, taxation. We can focus on different AI models to monitor where we see updates and the actual language to make sure that we’re notified of those important updates that they occur. We go from monitoring maybe 30 or 40 email sources to literally hundreds and possibly thousands of data points that can be monitored on a daily basis in a real time environment.

To tell you the truth, that’s the part where I started from to the challenge of thinking, is this even possible? Could I do it? I’m here to share with you today that it is possible, and I think that’s what’s exciting. That’s part of why I want to make sure I share this information is just not the first aspect of where we see artificial intelligence and innovation happening, it’s the next couple of phases that I think are leading edge. The fact is, not in today’s world where we might go and ask somebody do we do something, but we utilize that artificial intelligence or we utilize some other type of solution that automatically does the inquiry and validate against the defined database against known policies, practices, and system configurations. I think this is what’s great. That means, it can be done almost instantaneously. As soon as the alert comes in through natural language processing, its model to design to go look at a set of a defined tables that are either a policy or practice, or even a system configuration to determine whether there’s a gap or there’s not, or there might be an area where it might say I can’t determine, but at least it falls out and tell you, “This is where we’re seeing there’s a gap for someone to look at.” It’s doing this behind the scenes fully autonomous. It’s not having to worry about from a people aspect. It’s not determining whether it’s tax or payroll or HR or compensation. It’s doing it as a defined model.

Now, you see this as the factors, we still have to go and mitigate even after we have that capability, so the business works to mitigate those non compliance risk. Most importantly, it comes back and it does things for notifying, for reporting, and for metrics, as well as understanding where organization needs to move forward. We can also look at setting up from a risk posture position. How does an organization want to define itself as these requirements come in, or we see some of the gaps occur so we can set these up in different models.

I think where the future lies, and this is the blue sky future capabilities, is that this could be scalable across the organization, not just with HR. Now, organizations are truly operating as one. It’s identifying and removing those duplicated efforts across. Not only does that drastically reduce costs, not only from, say, for example, from FTEs, but also could be from a capital expense. As different lines of business put different technologies and different solutions and different providers to help that, those can all be drastically minimized.

The area that I think is where the next generation area will be, will be the ability to integrate with HR and payroll technology solution for real time rather target party intelligence. This means that as we connect the data from the monitoring to the inquiry, to the validate, ICV, the next generation aspect of where configuration will occur within systems, based on the parameters that organizations ask it to. If it says, I need to make sure that we have a new regulation that we need to abide by, where do we need to update the time tracking system? How do we have to make sure that the meal breaks might be set up? I honestly think that the world would get an alert from an app that we have on our phone that tells us: One, do we want to go ahead and do it? That means, they’ll give us the choice, or the app gives us the notification that we’ve already done it. The natural and the artificial language, identify where it needed to be done, work with the configuration aspect of a system, and configured it. Now, I think there’s a little bit of work that goes into that. I think, prior to that fully autonomous technology, configuration, automation is that you can set up the actual intake forms from a system standpoint. If it realizes that there’s a gap between what we need and what we need to do, then we can actually set the models up that it fills in the actual intake template, and they get sent to the right people without any manual intervention.

I think this is some really cool things to think about as we move forward, specifically in an area that is quite challenging. Was it really a challenge? Will not if we don’t limit and shy away from the challenging aspirational dialog. I really hope they shared some information that you can take back to your organization as well. I would really love to hear from those that are out there advancing in these areas. I think it’s so important when we look at from a regulatory nature and a compliance, supporting roles that we have, that we’re just not doing what we just should be doing, but we’re making sure that we not only survive in challenging opportunities, but our organizations are thriving. Thank you. Appreciate it.

Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden