Description- U.S. enforcement authorities have made it clear that multinational companies today should have in place a sound data analytics compliance program to proactively mitigate risks. Compliance departments should heed the warning.
For more than two years now, heads of the U.S. Department of Justice have maintained a steady drumbeat that they expect companies today to have in place a sound data analytics compliance program to proactively mitigate risks. Compliance departments should heed the warnings.
An especially significant development portending the DoJ’s intensified focus on data-driven compliance programs was the onboarding in September 2022 of Matt Galvin into the Fraud Section’s recently restructured Corporate Enforcement, Compliance and Policy (CECP) Unit.
As former head of compliance at global brewing company Anheuser-Busch InBev (AB InBev), Galvin is a well-known compliance expert for his innovative use of artificial intelligence and machine-learning in proactively mitigating compliance risk. In 2017, Galvin spearheaded the launch of AB InBev’s advanced data analytics platform, BrewRIGHT, which culls troves of compliance and transactional data from numerous accounting and compliance systems across the company where it is harmonized into a centralized repository.
The platform runs algorithms to organize and analyze the data under such buckets as anti-corruption and fraud risk, vendor management, anti-money laundering, economic sanctions, conflicts of interest, and even free beer giveaways. Specially built dashboards enable AB InBev’s compliance teams to proactively identify and monitor any algorithms flagged as high-risk and root out risks across the more than 50 markets where AB InBev operates. Simply put, the hiring of Galvin as a data analytics advisor for the Fraud Section is a strategic move.
Another significant hire at the DoJ was the appointment of Glenn Leon as the Fraud Section’s new chief, who joined the agency after serving most recently as chief ethics and compliance officer at Hewlett Packard. The onboarding of more compliance professionals means prosecutors are more adept than ever at assessing companies’ compliance programs.
“We are using every tool at our disposal to combat corporate crime, including more sophisticated data analytics and other means to proactively identify criminal conduct,” Assistant Attorney General Kenneth Polite said in Jan. 17 remarks at Georgetown University.
DoJ authorities have consistently made clear they expect compliance departments to use technological capabilities to detect misconduct as well. In keynote remarks made in October 2021, then-principal associate deputy attorney general John Carlin said, “It’s going to be the expectation [at the DoJ] when evaluating compliance programs that corporations are using the same type of analytics to look for and predict misconduct.”
Broadening data sets
A sound data analytics compliance program requires companies to monitor beyond traditional sources of data to include their employees’ use of personal devices and third-party messaging applications for business purposes. They must also have the ability to preserve and recover relevant data in the event of an investigation.
In an agency memo issued in September 2022, revising corporate criminal enforcement policies, Deputy Attorney General Lisa Monaco made clear that companies are expected to have policies governing personal devices and third-party messaging apps, employee training on such policies, and enforcement of those policies when violations are identified.
The U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission are focusing their sights on illegal uses of personal devices and third-party messaging apps as well, having issued billions in fines in the financial services industry for such violations.
Risk-based data analytics
In public comments, Leon said he doesn’t expect companies to have the “shiniest tool,” but rather that they turn data they already have into actionable results. This necessarily requires compliance to have access to relevant data.
According to the Criminal Division’s “Evaluation of Corporate Compliance Programs” guidance, questions to consider include, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
Just as the DoJ has repeatedly stressed compliance programs should be risk-based, “I would expect they would look at data analytics the same way,” Scott Schools, chief ethics and compliance officer at Uber, said on a recent webinar. “At least from my perspective, I would want to make sure I can defend the level of resources I am expending on data analytics, based on a risk-based analysis.”
Data-driven compliance measures
Robert Houle, an analytics consulting manager at Baker Tilly, shared some best practices for establishing a data-driven compliance program, including the following:
Map the data. Begin by identifying all the systems across the organization that are capturing data. Consider the following questions: “How is data flowing through those systems? How is the data being manipulated or changed? Does it converge with other systems at some point?”
Collect the data into a centralized dashboard. After mapping out the data, the next step is to extract and consolidate the data from those multiple systems. Once consolidated, the data can then be cleaned and harmonized. Because data is typically pulled from multiple systems, building a reliable data workflow process is important. “If you’re grabbing the wrong data, your visualizations are not going to be relevant,” Houle said. “They might guide you in the wrong direction.”
Analyze and compare the data. This step is where human context comes into play, evaluating for trends by applying filters and interacting with the data in various ways—analyzing data across a specific business function or specific regions, for example. This is also when to introduce algorithms and measure the data against key risk indicators (KRIs).
In practice, a robust data visualization process requires “involving a very focused team that has a strong analytics background,” Houle said. The data analytics team should not work in a silo, he added, but rather work alongside compliance and other functions to understand, for example, “‘What are the risk drivers at the organization? What KRIs are we going to measure against? How are we going to quantify risk?’”
Report out the results from the data visualization exercise. Some questions for compliance to consider are, “Where are the gaps? What do we need to improve upon?” Houle said. This process is an ongoing cycle, starting with a data-driven risk assessment and continuing with continuous auditing and monitoring, he said.
Conclusion
As Polite noted, the DoJ is “working more closely than ever” with law enforcement partners around the world, and that most FCPA resolutions in recent years were “the result of cooperation and coordination with foreign and domestic authorities.” The warning is this: In the event of an investigation, failure to have in place a sound data analytics compliance program can quickly turn into a cross-border nightmare for a multinational company.
Data analytics does not necessarily have to be costly or complex. Companies with limited resources can start by analyzing investigations and complaints data, in combination with cultural surveys, for example, that may collectively point to red flags or trouble spots. Ultimately, the end goal is for the compliance function to draw meaningful and proactive insight into where compliance risks may be present or where improvements may be necessary
