Regulatory compliance is the set of activities an enterprise does to ensure that its core business does not violate relevant regulations, in the jurisdictions in which the business is situated, governing the (industry) sectors where the enterprise operates.

The activities an organisation does to achieve its business objectives can be understood as business processes, and consequently they can be represented by business process models. On the other hand a normative document (e.g., a code, a bill, an act) can be understood as a set of clauses, and these clauses can be represented in an appropriate formal language. Based on this [ 5 ] proposed that business process compliance is a relationship between the formal representation of a process model and the formal representation of a relevant regulation.

To gain compliance different strategies can be devised. [ 16 ] classifies approaches to compliance as detective, corrective and preventative.

Detective measures are intended to identify “after-the-fact” un-compliant situations. There are two main approaches: (a) retrospective reporting through manual audits by consultants or through IT forensics and Business Intelligence tools; (b) automated detections generating audit reports against hard-coded checks performed on the requisite system. Unlike the first approach, automated detection reduces the assessment time and consequently also the time of un-compliance remediation/mitigation.

Corrective measures are intended to limit the extent of any consequence caused by un-compliant situations. For example, situations that can arise from the introduction of a new norm impacting upon the business, to the organisation coming under surveillance and scrutiny by a control authority or to an enforceable undertaking.

The two approaches above suffer from lack of sustainability, caused by the extreme interest of companies in continuous improvements of the quality of services, and for changing legislations and compliance requirements. Indeed, even with automated detection means, the hard coded checking of repositories can quickly grow to a very large scale making it extremely difficult to evolve and maintain. To obviate these problem [ 17,13 ] propose a preventative focus based on the idea of compliance-by-design.

The key aspect of the compliance-by-design methodology is to supplement business process models with additional information to ensure that a business process is compliant with relevant normative frameworks before the deployment of the process itself.

In this section we first introduce the architecture of BPCC, a business process compliance checker based on the business process compliance methodology proposed by Governatori and Sadiq [ 9 ].

As we have already discussed to check whether a business process is compliant with a relevant regulation, we need an annotated business process model and the formal representation of the regulation. The annotations are attached to the tasks of the process, and it can be used to record the data, resources and other information related to the single tasks in a process.

For the formal representation of the regulation we use FCL [ 4,8 ]. FCL is a simple, efficient, flexible rule based logic. FCL has been obtained from the combination of defeasible logic (for the efficient and natural treatment of exceptions, which are a common feature in normative reasoning) [ 1 ] and a deontic logic of violations [ 6 ]. In FCL a norm is represented by a rule

1, … , ⇒ Where 1, … , are the conditions of applicability of the norm/rule and is the normative effect of the norm/rule. FCL distinguishes two normative effects: the first is that of introducing a definition for a new term. For example the rule (), () > 1000 ⇒ _() specifies that, typically, a premium customer is a customer who has spent over 1000 dollars. The second normative effect is that of triggering obligations and other deontic notions. The deontic notions covered by FCL are obligations1, permissions, and reparation chains. For obligations FCL supports both maintenance obligations and achievement obligations, and for achievement obligations both pre-emptive and non-pre-emptive obligations (see [ 8 ] for full details). A reparation chair is an expression 1 1 ⊗ 2 ⊗ ⋯ ⊗ , where each is an obligation, and each is the content of the obligation (modelled by a literal). The meaning of a reparation chain is that we have that 1 is obligatory, but if the obligation of 1 is violated, i.e., we have ¬ 1, then the violation is compensated by 2 (which is then obligatory). But if even 2 2 is violated, then this violation is compensated by 3 which, after the violation of 2, becomes obligatory, and so on.

It is worth noticing that FCL allows deontic expression (but not reparation chains) to appear in the body of rules, thus we can have rules like: , [P] _ℎ ⇒ [OM]ℎ _ ⊗ [OAPNP] _.

The rule above means that if a restaurant has a license to sell alcohol (i.e, it is permitted to sell it, [P] _ℎ ), then it has a maintenance obligation to expose the license ([OM]ℎ _ ), if it does not then it has to pay the fine ([OAPNP] _ ). The obligation to pay the fine is non-pre-emptive (this means it cannot be paid before the violation). For full description of FCL and its feature see [ 4,8 ]. 1 Note the obligations allow us to capture prohibitions; a prohibition is an obligation plus negation, for example the prohibition to smoke can be understood as the obligation not to smoke.

We reported on the development of a tool, BPCC, for checking the compliance of business processes with relevant regulations. The BPCC was successfully tested for real industry scale compliance problems. In the recent years, a few other compliance prototypes have been proposed: MoBuCom [ 15 ], Compass [ 2 ] and SeaFlows [ 14 ]. MoBuCom and Compass are based on Linear Temporal Logic (LTL) and mostly they just address “structural compliance” (i.e., that the tasks are executed in the relative order defined by a constraint model). The use of LTL implies that the model on which these tools are based on is not conceptual relative to the legal domain, and it fails to capture nuances of reasoning with normative constrains such as violations, different types of obligations, violations and their compensation. For example, obligations are represented by temporal operators. This raises the problem of how to represent the distinction between achievement and maintenance obligations. A possible solution is to use always for maintenance and sometimes for achievement, but this leaves no room for the concept of permission (the permission is dual of obligation, and always and sometimes are the dual of each other). In addition using temporal operators to model obligations makes hard to capture data compliance [ 10 ], i.e., obligations that refer to literals in the same task. SeaFlow is based on first-order logic, and it is well know that first oder logic is not suitable to capture normative reasoning [ 11 ]. On the other hand FCL complies with the guidelines set up in [ 3 ] for a rule languages for the representation of legal knowledge and legal reasoning.

NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.