Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Motivations and Research Question

The law is getting more and more complex and difficult to understand due to subsidiarity, specialisation and the increasing power of state authorities. In Italy, for example, finance law is one area of the law which is so complex and ever-changing that they employ or sub-contract compliance officers to monitor and check that banking processes remain compliant. This is largely due to a fundamental change in the law on accountability of financial institutions, a change that has resulted in continuous clarification and extension of the law over the last decade.

Until ten years ago Societas delinquere non potest Footnote 1 was the dominant doctrine in Italian financial law. This meant that if the director of a bank or insurance company committed a crime, he may be tried and punished, but the company would not be liable. Legislative Decree 231/2001 was a radical piece of legislation that changed the nature of legal obligations for banks and insurance companies. Now such organisations can be held responsible for criminal activities carried out by their employees even when such activities were not prescribed or authorised. Legislative Decree 231/2001 and related legislation impose permissions, obligations and constraints on financial professionals in given situations.

Financial institutions have a strong business motivation for ensuring they comply with the law, and demonstrating that they have systems and procedures for compliance monitoring. If a financial organisation has demonstrated that they have a responsible monitoring system in place but an employee still manages to engage in illegal activities under their watch, the organisation can avoid paying out substantial fines and incurring damage to its reputation. Financial institutions manage compliance law by summarizing the legislation in a series of so-called prescriptions and mapping them to processes in the workflow. However, financial institutions do not make the best use of technology. They employ legal researchers who trawl through various sources to manage information about legislative changes and influential cases. For particularly difficult areas, they seek the expensive guidance of lawyers expert in this field. But the information is sought on an ad-hoc basis, is not stored and managed effectively, and not linked to terminology and relevant legislation that are crucial to a true understanding of the law.

Boella et al. [1] provides a general description of Eunomos, a legal document management system developed by the University of Turin for researching legislation and legal terminology. Boella et al. [2] describes the extension of the Eunomos ontology with a prescription data type so that a compliance officer can view related legal requirements, accountable job roles and sanctions in one web view. This bases on the Eunomos system and introduces in it the notion of role. Roles have several uses in a system to support compliance:

  • Prescriptions are associated with roles rather than individuals.

  • Participation in processes is distributed in terms of roles.

  • Permissions to access resources, primarily to information systems, are associated with roles, as in the Role Based Access Control (RBAC) methodology.

  • Constraints like separation of duties are expressed in terms of roles, e.g., preventing role combinations such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and having custody of pay checks.

  • Risk management is often based on the responsibilities assigned to the different roles.

However, often all these dimensions are kept separate, leading to problems when they interact. For examples, access permissions are assigned by offices which do not have a complete picture of the evolution of who plays which role. Analogously separation of duties fails when people change role after static verification of the constraints. Finally—the example we will consider in this chapter—roles associated with duties in the law are not always immediately mapped onto processes of an organization. The problem is that there is no common conceptual framework defining the notion of a role. Ontology is the discipline in Computer Science which studies how to provide a formal, explicit specification of a shared conceptualisation. The research question of the chapter is: how to construct an ontologically well founded notion of role that is practical at the same time?

The methodology of this chapter is to start from the foundational work of Boella and van der Torre [3] on roles and adapt it to a practical scenario. In this chapter we will focus on the interplay between roles and duties and processes, while we leave other issues as future work. Moreover, here we do not consider in detail the ontology of processes and we abstract them as concepts with relationships concerning the participants.

The intersection between legal and organisational knowledge is a difficult domain to model in an ontology because many legal and organisational concepts are socially constructed objects that may or may not have a close connection to physical reality. Moreover, relating organisational roles as defined in legislation to other concepts is impossible with classical is-a hierarchies only [4].

Eunomos for Compliance

The Eunomos’ Infrastructure

Eunomos is a knowledge management system that enables users to research laws and legal concepts. Eunomos offers a highly structured framework with legislative XML, enabling users to view relevant legislation from various sources from the same web interface, and access a database of duties and prohibitions, annotated with explanations in natural language, as well as an ontology of terms that are relevant for particular domains. Each piece of legislation in the Eunomos database is stored in accordance with the Norme in Rete (NIR) legislative XML standard using the ITTIG CNR parserFootnote 2.

The Legal Taxonomy Syllabus ontology [5] integrated in Eunomos was originally modelled on European Consumer Law, where terms can mean different things in different languages, within European versus national jurisdictions, and within different domains. As such the main assumptions of the Legal Taxonomy Syllabus ontology come from studies in comparative law and ontologies engineering. Eunomos also contains an extended structure for certain concept types. We discuss the Prescriptions and Roles extensions below.

Fig. 1
figure 1

The description of a prescription with the related concepts

Full size image

Prescriptions

Within Eunomos, a prescription is a legal rule abstracted from legislation and linked to information that is relevant to that particular rule. Each prescription is necessarily connected to other concepts in the ontology by the relations:

  • Deontic clause: the type of prescription: obligation, prohibition, permission, exception.

  • Active role: the addressee of the norm (e.g., director, employee).

  • Passive role: the beneficiary of the norm (e.g., customer).

  • Crime: the type of crime resulting from violation of the prescription, often defined in other legislation such as the Penal Code.

  • Sanction: a concept describing the sanction resulting from the violation.

Figure 1 illustrates a prescription together with its links to other concepts.

Each prescription contains links to the articles of legislation in which the prescription is defined. Note that some prescriptions can span several paragraphs and/or articles of a piece of legislation; conversely a single paragraph within one article can include more than one prescription. A macro-prescription can also be stored which specifies a general principle and contains links to specific prescriptions that come under this principle. For each prescription, the relevant text are quoted and then described in natural language.

Roles

To ensure traceability and accountability, each business process is subject to prescriptions either directly or via the links to roles and the individuals who act in those roles, depending on whether the prescription refers to processes or roles.

Modelling roles is not as easy as it seems—how can ontologies model the fact that roles can be held by more than one person, that roles can be vacant, that individuals can change jobs or hold multiple roles concurrently or switch between different roles at different times, or that roles can take on other roles. The latter is a real issue in compliance—a general manager or managing director assumes the role of a public officer in situations where the bank performs services in the public interest, e.g., collecting taxes on behalf of the state, and is then subject to prescriptions that apply to public officers. The issue of changing jobs can also cause problems such as conflict of interest. For instance, the law states that the same person cannot approve their own expenses. However it is perfectly conceivable that an employee might submit an expenses claim as a sales representative, move to an expenses administration role, and end up monitoring their own expenses claims.

Even if it is well recognized that roles are a representation primitive which should be described in the meta-ontology, we adopt a pattern based approach which allows roles to be expressed in current ontology formats such as Web Ontology Language (OWL), the de facto standard language for ontology. This not only simplifies the adoption of the notion of roles but also allows roles to be integrated with legacy systems.

In this chapter we use as an example a subtle interaction between roles concerning prescriptions and roles concerning processes.

In art. 318 of the Penal Code “public officers" or persons involved in functions of public service (pubblica utilità) are subject to obligations to prevent corruption. This norm would not appear to be relevant for a private institution like a bank. However, in Italy, there is a relationship, since banks can provide functions of public service, and banks need to know which employees are subject to these obligations. We can make this reasoning only by analysing which roles in the organization participate in processes which can be considered a public service: the reasoning pattern is that the subjects (here called activeRole) of the obligations are not only agents playing the role of public officer, but also further roles (e.g., bank director) when they are considered as public officers, due to the kind of processes they are involved into.

Note that there are several complexities concerning the meanings of the term “role" in this example. First of all, we have the notion of social role, an individual of type agentive entity, which is part of an organization. E.g., the director is a role of a bank and public officer a role of the public administration. The second issue is the notion of a participant in a process, a processual role. There are subtle interplays between these two notions. On the one hand, processual roles connect processes to social roles: e.g., the bank director (a social role) is the activeRole of the process of giving loans or collecting taxes. On the other hand, as agentive entities, social roles such as bank director can play other social roles. Hence, the bank director plays the role of public officer when involved in some process. Due to the anti-rigidity of this property (i.e., it can change over time), the director cannot be considered as a specification of public officer so the former is not connected to the latter in the “is-a” hierarchy but by a playerOf relation. Note that in our model it is the director role instance which is playing the role of public officer and not the directly the person who is acting as director: the rationale is that in the latter case we would lose the intuition that the person is a public officer only qua director.

To model these distinctions, we resort to two patterns for modelling roles in ontologies. The first is to model processual roles, with a simplified view of roles. The other is to model social roles in a full fledged mode. To model processual roles we regard them as properties or relations, without introducing a proper role concept to be instantiated. E.g., the active role is represented with an activeRole property. Its domain and range represent the context on which the role depends and the potential players that can play the role, respectively. Therefore, the role makes sense only if individuals of the process and players exist.

We adopt the same solution for roles concerning prescriptions: active and passive roles. Using [6]’s terminology, we call them relational roles.

Meanwhile, social roles, since they are individuals, are modelled using a more complex pattern (see Fig. 2). We introduce role concepts, and specifications of that class, e.g., director. Roles are related to a context, the organization class via a roleOf relation and their possible players are connected via a playerOf relation (a person in the case of a director). On the one hand, role concepts are associated with an organization concept which provides the context of the role. On the other hand, they are also associated with the class of the player, creating a restriction on the possible players. The introduction of role concepts means that the roles are treated as instances separated from the instance of their players. This allows properties to be associated with the role, which are different from that of the player. Moreover, it allows for identity of roles (thereby addressing the so-called counting problem) and the possibility that an individual can play multiple roles: this is represented by connecting the same individual as the player of several role instances. Dynamics of roles (players can stop playing roles) is ensured by changing the playerOf relationship.

Fig. 2
figure 2

The ontology of roles.

Full size image

Since Eunomos uses a lightweight ontology, in our model we do not consider explicitly restrictions on fillers of relations. However, constraints are ensured at the level of the insertion and modification interfaces and at the level of database, with a system of triggers for ensuring consistency. The reason for this is that roles have been added to a legacy system which started with the Legal Taxonomy Syllabus whose first aim is the acceptability to law scholars and practitioners. For example, a role instance must be always connected to an instance of an organization by a roleOf relation and to an instance of a class connected by the playerOf relation to the role class. Thus, the latter arrow in the figure does not mean that the instances of a player class must be always connected to an instance of the role class, since roles are anti-rigid by definition. Moreover, roles can be played by instances of different classes.

Figure 2 illustrates the example about public officers. On the top left corner we have the role concept associated with its context: an organization related with the roleOf relation. Each role can belong only to one organization, due to definitional dependence, while organizations can have multiple roles. However, as discussed above, we do not have such explicit constraint in the ontology. Each specialization of the role concept is related to a specialization of the organization class. In the figure, the director role is associated with a bank. Instances of director roles can be played only by instances of persons (see the playerOf relation). The director role participates in the process of collecting taxes with the processual role activeRole. Note that this process is also considered a public service besides being a process of a bank (processOf).

Analogously, the public officer role is a role of the public administration and can be played only by persons. The public officer is subject to the obligation not to be corrupted. The relation between the prescription and the social role of public officer is similar to the processual roles: the public officer is the active role in the prescription, while the public administration is the passive role (i.e., the beneficiary of the obligation). For simplicity we do not represent in the figure the link between processes and the organizations defining them: e.g., a public service is a process within a public organization. The link with the regulations (Art. 318 of Penal code) is not illustrated in the figure, but it is an essential component of Eunomos’ ontology.

Coming to the main question of the example, the bank can understand who is subject in the bank to the prescription against corruption when there is a link playerOf between an instance of the role director and and one of the role public officer, a link which must be set when a director plays the role of public officer in the context of a process which is a public service.

The key to unravelling these problems is to look at the context—namely prescriptions, process universals and process instances. Prescriptions are assigned active and passive role relations to universal role concepts which are defined by the law. Universal processes are assigned active and passive role relations to universal role concepts defined by the organisation. Instance processes are assigned active and passive role relations to instances of roles defined by the organisation.

Related Work and Conclusions

There is a wealth of literature about roles [7], and we will focus here on only the most relevant work. The distinction between processual and social roles is inspired by Loebe [6], however we have a simplified view of processual roles in our model. Loebe [6], for the sake of generality proposes a unified model of processual and social roles, in which the former also have instances of role concepts. In our model processual roles are modelled as relations connecting processes (and prescriptions) to the players (which happen to be social roles). The model is very similar to the one of HOZO [8], with the exception that we do not model the aggregation of the role instance and the role player. In particular, we are inspired by the HOZO philosophy of mapping the notion of role onto traditional ontology patterns.

We have described a practical use of an ontological model of roles within a legal monitoring system for regulatory compliance. The basic ontology of prescriptions for compliance as described in [2] is suitable not only for navigating conceptual terms and linking to source legislation in a highly complex area of the law but also for managing structured information about the ever-evolving series of prescriptions that apply to the financial sector. This chapter has discussed a further extension to the ontology to reason about roles so as to enable monitoring of actual processes and ensure accountability on an individual level.