When you think about business travel compliance, what comes to mind? It often includes things like enforcing the company’s travel policy, encouraging the use of online booking tools, and tracking travel spend through expense management systems. These efforts aren’t just vital for supporting duty of care and staying within the travel budget. They also help the company achieve broader goals, like enhancing employee satisfaction and promoting sustainability.
But there’s another important side to corporate travel compliance that often gets overlooked: making sure that the software and solutions your travel management company provides have been designed to safeguard data and uphold legal compliance. This is critical for protecting your organization from legal risks, maintaining employee trust, and supporting the smooth operation of your corporate travel program.
When your company uses tools built with compliance at their core, you can have peace of mind knowing travelers are seamlessly supported throughout their business trips. Employees can enjoy a better travel experience, confident that both they and their data are well-protected.
Behind responsibly built products that protect both the company and the traveler is a strong risk and compliance program. Such a program can help make sure every travel tool and service meets industry standards, reduces risks, and supports compliance with key regulations.
It’s a commitment our risk and compliance program at American Express Global Business Travel (Amex GBT) takes very seriously. The rigorous structure we apply to our new product development lifecycle helps us create products that deliver on our brand promise: that we must always act to protect our clients.
We spoke with Michael Savicki, Senior Vice President, Chief Risk & Compliance Officer, to learn more about the processes and principles behind our product development.
Q. What positions Amex GBT as a brand companies can trust? Why is our risk and compliance program one of the strongest in the travel space?
It begins with our ties to American Express and our legacy as part of a heavily regulatory financial services organization. American Express provided a foundational framework for our industry-leading risk and compliance program – and continues to be a key stakeholder as a major shareholder.
By virtue of American Express’s ownership interest, we are subject to the Bank Holding Company rules, enforced by the Federal Reserve System. This positions Amex GBT as the most highly regulated corporate travel management and meetings and events company in the world.
In July 2024, we celebrated our 10-year anniversary as an independent travel management company. One reason we decided to become our own entity was to channel greater investments into our products and technology for business travel, meetings & events, and expense management.
Over the last decade, we’ve enhanced and developed countless business travel solutions. Every one of them has been built in a safe and secure manner that delivers on the brand promise our clients have come to expect. We’ve also done thorough due diligence to make sure the numerous products we’ve integrated into our portfolio through our acquisitions uphold these same high standards.
Finally, our risk and compliance program is widely recognized, especially after earning the title of “Compliance Program of the Year” at the 2023 Excellence in Compliance Awards.
Q. How do you make sure these rigorous standards are incorporated into the process of enhancing and developing products?
As part of our risk management and compliance framework, we partner with our Product & Technology teams and embed a comprehensive enterprise-wide policy that supports our new product development process. The policy is intentionally broad and expansive to incorporate all “new products, platforms, capabilities, or services” impacting our clients as well as any jurisdictional expansions of existing products so that all our solutions are covered.
From concept to launch, our products and services are designed to support our clients and travelers. This applies to everything – from our booking platforms to expense management systems, even third-party tools like our travel risk management solution and carbon calculation integration. By embedding “compliance by design” into every stage of the product development lifecycle, we help protect our clients and travelers while meeting our regulatory obligations.
Q. How does Amex GBT practice “compliance by design”? What benefits does this model provide to clients?
Compliance by design means implementing enhancements and controls in a proactive manner, analyzing emergent risks, engaging stakeholders, and conducting ongoing monitoring and testing. This lifecycle approach supports our constant innovation and incorporates best practices, such as security architecture reviews and privacy impact assessments, to help maintain privacy and security by design into the new product development process.
When evaluating whether to invest in new technology or a new product and determining the approach to its creation, these are the key areas we focus on during the product approval process.
Q. Can you share more about the new product development processes? Who’s involved and what are the steps taken to make sure products meet Amex GBT’s robust compliance standards?
Product managers kick off the process by developing a product development plan (PDP), which includes a questionnaire that helps identify potential risks. A team of specialists across various risk pillars – including risk & compliance, legal, cybersecurity, finance, and HR – review the PDP to address these issues and allow our product development teams to operate in a nimble and agile manner.
A director on the risk and compliance team supports the innovation process and closely collaborates with the product development teams, regularly reviewing the product development roadmap to make sure compliance by design principles are embedded early in the process. The roadmap itself is reviewed every 180 days by a dedicated product planning team to make sure key projects stay on track and aligns with our business goals.
Once the product is built, it will go through a gated approval process to make sure the control framework and security testing are all set before we officially launch it to our clients.
We don’t stop there. If a product undergoes a feature enhancement or expands to a new country, we conduct another review before its release to make sure it meets all the necessary requirements to meet our brand promise and client expectations.
Q. Why should clients care about how their products are built? What advantages do products designed with compliance principles provide?
They offer protection on multiple levels. While corporate travel compliance might not be top of mind for most people, it becomes critical when news breaks of a major data breach, significant duty of care issues, or a company facing hefty fines for regulatory noncompliance. We address these challenges proactively by embedding the framework of our risk and compliance program into every step of our product development process.
Each day, we collect and process massive amounts of personal information through our travel bookings, including basic contact information, passport numbers, and credit card details. Every single one of our solutions – including our online booking tools, Amex GBT Neo and Amex GBT Egencia – have been meticulously designed to safeguard and protect our client and traveler data and satisfy applicable regulatory requirements.
As we continually enhance our available products, content offerings, and services for our clients, we’re making certain the same rigorous controls are applied to these newly established content offerings and booking channels.
Q. What’s a pressing compliance issue that the risk and compliance team is focused on these days?
Artificial intelligence is a major one. Our clients and their travelers have valid concerns about the data security, and accuracy of AI, demonstrating the need for continuous improvements and transparency. So as generative AI continues to reshape how we work and serve our clients, we are dedicated to exploring its full potential while making sure the AI-powered tools we offer to our clients are safe for them to use.
We recently launched a new management policy that governs how we use AI to make sure we balance innovation with responsibility. Under this new policy, all generative AI-enabled solutions need to go through an AI impact assessment to make sure they are compliant with new regulatory developments, including the European Union’s AI Act.
By maintaining a secure environment and collaborating with trusted technology providers, we are developing AI-powered tools designed to safeguard our clients’ privacy and security.
Discover more about our responsibly designed products
Our deep commitment to responsible innovation has earned the trust and confidence of our clients. We look forward to continuing to deliver on our brand promise over the next decade of our growth journey.
To learn more about our risk and compliance program and the lengths we go to create responsible products, check out our Powering Progress report.
