What Companies Should Know About Data Analytics’ Value in Compliance
What Companies Should Know About Data Analytics’ Value in Compliance
The U.S. Department of Justice’s (DOJ) Foreign Corrupt Practices Act (FCPA) unit is cracking down on white-collar crime. To achieve this, the DOJ has recommended that companies incorporate data analytics to strengthen their compliance programs. Companies that heed this advice should implement a strong data analytics function, identify key risks, and look to mitigate them.
This article (a) explains the DOJ’s recent emphasis on robust data analytics in anti-corruption compliance programs, (b) outlines how data analytics can and should be used in these programs, and (c) suggests an approach to help legal counsel and companies determine if corporate programs will pass muster with the DOJ.
The DOJ Has Been Clear on Data Analytics
The DOJ has already sent numerous signals that it sees data analytics as a crucial player in compliance programs. These signals include the DOJ’s recent pronouncements, the hiring of Matt Galvin as compliance and data analytics counsel in the Criminal Division’s Fraud Section, and its corporate enforcement policies.
On September 15, 2022, Deputy Attorney General Lisa Monaco released a 15-page memorandum, which revised existing corporate criminal enforcement policies and practices.1 The memorandum provides guidance (among others) on a) individual accountability for corporate crimes, b) evaluation of the company’s historical misconduct, c) corporate policies and procedures on voluntary self-disclosure, d) evaluation of the company’s commitment to cooperate, e) evaluation of a corporate compliance program, and f) deciding factors to require an independent compliance monitor.
Under this new guidance, corporate compliance programs need to address non-traditional data sources, including data and communications that reside and are transferred in personal devices and third-party messaging platforms. Overall, the revisions from this memorandum place strong emphasis on corporate data practices and data governance as two important factors in demonstrating and ensuring compliance.
On May 16, 2023, Glenn Leon, the Chief of the Fraud Section of the Criminal Division, spoke at the Wall Street Journal Risk & Compliance Forum and pointed to data analytics as one of the fraud section’s initiatives under his leadership. More specifically, Leon stated that “data analytics is a really big, important exciting area that I’m particularly focused on and I’m very excited about.”2 Notwithstanding the section’s own use of data analytics, Leon stressed that data analytics is becoming cheaper and that organizations, whether they are Fortune 50 publicly traded companies or smaller businesses, need to harness those capabilities for compliance purposes.
Additionally, in an updated memo (as of March 2023) the DOJ underscored the value of data analytics and robust data governance policies and procedures to a functioning compliance program.3
In discussing Data Resources and Access, the DOJ emphasizes:
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
Hiring of Matt Galvin
Matt Galvin was hired by the DOJ as compliance and data analytics counsel in the Criminal Division’s Fraud Section in late 2022, and his employment highlights the DOJ’s commitment to data analytics in compliance.
As he advises prosecutors on effective policies and procedures that companies can implement to prevent white-collar crime and policy violations, Mr. Galvin brings extensive experience from his time at Anheuser-Busch InBev, where he was instrumental in developing machine learning technology to identify potential risks and illegal activity. In that role, he led a compliance team to create a centralized repository that combined datasets from across the company, as well as external datasets such as sanctions lists to better analyze accounts payable, expense, compliance, and investigations records.
In his role now, Mr. Galvin is promoting the use of data in developing compliance systems and moving the DOJ’s needle forward in promoting data analytics as a tool in corporate compliance.
Corporate Enforcement Policies
The quantifiable benefits of using data analytics in compliance programs are also significant. Increasingly, one of the keys to comprehensive compliance is the robust use of data analytics.
The FCPA Corporate Enforcement Policy offers a 50% reduction off the low-end of the U.S. Sentencing Guidelines (USSG) fine range for companies that self-report and fully cooperate. Even companies that do not self-report can receive a 25% reduction off the low-end of the USSG fine range if they fully cooperate and take timely and appropriate remedial action. Data analytics can be a valuable tool for companies to identify misconduct and can significantly decrease fines when timely reported with full cooperation from the company.
Even very recently, Kenneth Polite, outgoing chief of the DOJ Criminal Division, emphasized robust data analytics use in FCPA cases.
As stated in The Wall Street Journal:
In recent months, Justice Department officials have hinted that the next area they plan to scrutinize using data analytics will be in their enforcement of the Foreign Corrupt Practices Act, a 1977 statute that prohibits companies from paying bribes to foreign officials to gain a business advantage.
The criminal division’s fraud section, which oversees enforcement of the FCPA, is looking to use banking data to hunt for potential bribery violations, Polite said. Under U.S. anti-money-laundering rules, banks are required to screen customers for suspicious activity and report it to regulators at the Treasury Department.
Although exactly how prosecutors will use such suspicious-activity reports to find bribery remains unclear, Polite suggested that getting access to some of the data behind the reports would be helpful to such efforts.4
The DOJ’s use of data analytics in FCPA investigations is a clear indication that it will also evaluate a company’s incorporation of data analytics in its compliance program.
Companies and their legal advisors need to evaluate existing corporate compliance programs, and data experts are needed to analyze the data reports, data sources, and transactions to assess the risk and effectiveness of those programs. Similarly, companies should be applying data analytics tools to assess their corporate compliance programs. Robust data and data analytics methodologies lead to better proactive compliance when policy document reviews and employee interviews are not sufficient for organizations to receive credit for cooperation with the DOJ prosecutors.
Using Data Analytics for Corporate Compliance
Integrating data analytics into a company’s compliance program can play a pivotal role in identifying and addressing potential FCPA violations. There are many benefits of leveraging data analytics as part of a tailored compliance program to effectively tackle FCPA challenges.
Enhancing Due Diligence Processes
By employing advanced algorithms and machine learning techniques, companies can sift through various data sources, including financial records, public records, and transactional data to uncover suspicious patterns or connections. These data-driven insights enable organizations to conduct more comprehensive due diligence on business partners, third-party agents, and potential acquisitions, reducing the risk of engaging with entities involved in corrupt practices.
Identifying Anomalies and Patterns
By analyzing financial transactions, employee expense reports, and other relevant data sets, companies can identify unusual patterns, such as inflated invoices, excessive entertainment expenses, or suspicious payments to foreign officials. Automated monitoring systems can be implemented to flag such activities, enabling organizations to investigate further and take necessary remedial actions promptly.
Monitoring and Auditing Compliance
Data analytics can aid in continuously monitoring and auditing compliance with FCPA regulations. By establishing robust data analytics frameworks, companies can proactively track financial transactions, procurement processes, and interactions with third parties. Automated systems can detect potential violations in real-time or on a regular basis, helping organizations to identify and address compliance issues promptly. Additionally, data analytics can assist in conducting retrospective analyses of historical data to identify any past irregularities, enabling organizations to rectify any potential violations promptly.
Continuous Improvement Through Data-Driven Insights
Analyzing trends, patterns, and common compliance pitfalls allows companies to finetune their policies, procedures, and training programs. Data-driven insights can help organizations stay updated with emerging compliance challenges and adjust their strategies accordingly. Moreover, organizations can benchmark their compliance performance against industry peers by leveraging anonymized data from compliance consortia or industry associations.
Crafting an Effective Data Analytics Program Using Machine Learning
Traditionally, companies engage with third parties (consultants, auditors, and lawyers) to assess their compliance practices, which are labor intensive, involve basic or rudimentary data analysis, and rely heavily on interviews of enterprise employees by auditors to understand business processes. The evaluation is primarily manual, labor intensive, and inefficient.
Notwithstanding the value that these traditional risk assessments and compliance evaluations provide, deploying data analytics solutions based on machine learning (ML) and artificial intelligence (AI) can significantly reduce costs, identify otherwise aberrant activity, and self-reinforce continuous improvements in the compliance function. Companies can also leverage advanced data analytics capabilities for uses other than their compliance programs (e.g., enhanced operational insights, improved efficiency and productivity, data-driven decision making, predictive analytics and forecasting, and competitive advantage, among others).
ML models, such as deep learning methods, analyze the data and provide a risk score for all transactions and third-party vendors. As a result, every payment and vendor is analyzed, and if the risk score is above a threshold, this payment or vendor is flagged and is deemed suspicious, open for further analysis.
The predictive accuracy of the ML model is increased if supervised learning is used, where human experts need to sample historical data and identify transactions and vendors that were truly suspicious. Consequently, the AI model learns from the training set and can infer the most important features or combinations of features that influence the risk score. For example, the ML model may learn from the training set that the Corruption Perception Index (CPI) score of the country where payment is remitted creates higher risk than not having an invoice for a payment.
Deep learning methods are the best fit for detecting non-compliance. However, these predictive models require substantial amounts of input data and large computational power. In the case of the FCPA, the data sets are usually extremely large, and the AI models are normally run on a cloud platform that provides scalable computational power and memory.
Ten Steps to Initially Assess Your Company's Use of Data Analytics for Compliance
As discussed, data analytics is a valuable tool for ensuring compliance, and intentionality will be needed to realize its advantages. The following ten steps present an initial assessment to understand your company’s current use of data analytics for FCPA compliance and begin developing a strategy for future use of the technology.
- Understand the FCPA: Familiarize yourself with the key provisions, requirements, and implications of the FCPA to ensure you have a solid understanding of the compliance framework.
- Define the scope of the assessment: Determine the specific areas within your company where data analytics is currently utilized for FCPA compliance, such as due diligence, monitoring, risk assessment, or investigations.
- Identify stakeholders: Identify the relevant departments and individuals involved in data analytics for FCPA compliance, including legal, compliance, internal audit, IT, and data analytics teams.
- Review existing policies and procedures: Obtain and review your company’s policies and procedures related to FCPA compliance. Analyze how data analytics is integrated into these processes and assess their effectiveness.
- Evaluate data collection and storage practices: Assess how data is collected, stored, and managed for FCPA compliance purposes at your company. Review data sources, data quality controls, retention policies, data interoperability, and data protection measures.
- Examine data analytics tools and techniques: Identify the data analytics tools and techniques currently employed by your company for FCPA compliance. Evaluate their capabilities, effectiveness, and alignment with FCPA requirements.
- Verify data privacy and security: Evaluate your company’s data privacy and security measures. Ensure that personally identifiable information (PII) and sensitive data are adequately protected and that data access is restricted to authorized personnel.
- Conduct interviews and discussions: Engage in discussions with key stakeholders to understand their roles, responsibilities, and challenges related to data analytics for FCPA compliance. Seek their feedback on existing processes and gather suggestions for improvements.
- Review compliance monitoring and reporting: Assess your company’s monitoring and reporting mechanisms for FCPA compliance. Determine how data analytics is used to identify, investigate, and report potential violations or irregularities.
- Develop recommendations: Based on the assessment findings, develop recommendations for enhancing your company’s data analytics capabilities for FCPA compliance. Include suggestions for process improvements, technology upgrades, and training initiatives.
Integrating Data Analytics for Comprehensive Compliance
As the DOJ has explicitly and implicitly communicated, effectively addressing FCPA challenges requires a comprehensive and proactive compliance program. Integrating data analytics into this program provides organizations with a powerful tool to enhance due diligence, identify anomalies, monitor compliance, assess risks, and drive continuous improvement. By leveraging advanced analytics techniques, companies can strengthen their FCPA compliance efforts, mitigate risks, and foster a culture of ethical business practices. Embracing data analytics as part of the compliance program demonstrates a commitment to transparency, integrity, and responsible corporate citizenship in the international business landscape.
This article was originally published in The Legal Intelligencer.
- “Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group” The Deputy Attorney General Lisa Monaco, Memorandum, September 15, 2022.
- Glenn Leon, Wall Street Journal Risk & Compliance Forum, public address, May 16, 2023.
- “Evaluation of Corporate Compliance Programs,” U.S. Department of Justice, Criminal Division, updated March 2023.
- Dylan Tokar, “Assistant Attorney General, on Eve of Exit, Touts Data’s Growing Role in Crime Fighting,” The Wall Street Journal, July 17, 2023.