Harnessing a data analytics compliance program | American Conference Institute (ACI)

In recent years, U.S. enforcement agencies have signaled that a data-analytics driven compliance program is more than a nice to have, it’s a must-have if companies are going to get more adept at demonstrating the effectiveness of their anti-corruption compliance programs to regulators.

When the U.S. Department of Justice issued its updated “Evaluation of Corporate Compliance Program” guidelines in June 2020, for example, it emphasized that prosecutors should evaluate whether companies have in place a data-driven compliance program to detect potential misconduct and continuously monitor the effectiveness of their compliance programs.

In evaluating whether a compliance program is “adequately resourced and empowered,” the Justice Department directs prosecutors to consider the following questions, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”

Companies in highly regulated industries—such as financial services, pharmaceuticals and life sciences—or companies that have been subject to an enforcement action in the past are more likely to have a more mature data-driven compliance program than those in less regulated industries or with no history of enforcement actions.

For companies that do not fall in either of these buckets, or for small- and medium-size enterprises that don’t have massive compliance budgets, establishing a data-driven compliance program may seem like a daunting and costly ask, but it doesn’t have to be that way.

While chief compliance officers are not data scientists, they still have an integral role to play in integrating data analytics into compliance processes and can do so by taking the following steps:

Identify all relevant and easily accessible data sources. Chief compliance officers should become familiar with what relevant sources of data in the organization are easily accessible that can help in detecting risks such as fraud, waste, and abuse; sanctions risk; and third-party risks. Easily accessible data in most companies includes accounts payable (AP) data; travel and entertainment (T&E) expenses; gifts and hospitality data; hotline data; and sales and marketing data, to name a few.

The best use cases often reside in this readily available data. Spend is one key risk area to monitor—for example, unusually high employee-spend associated with a certain customer account, or unusually high spend on a particular vendor. T&E expenses, like reimbursements associated with government officials, is another risk area.

Invoices received in advance of a purchase order being created is another red flag. “You shouldn’t see an invoice date before a purchase order date,” said Andy Miller, chief analytics officer at Lextegrity. “Further, you shouldn’t see a payment date before a purchase order date.” Other red flags to watch for include duplicate spend or duplicate vendors, he said, which can signal messy processes and departments which are far more susceptible to bribery and corruption schemes.

In addition to identifying all data necessary to detect and monitor the company’s unique fraud and corruption risks, prudent chief compliance officers know the value in building partnerships and having strategic conversations with the heads of relevant business units—the end users who own the data—like finance and accounting. In a small company, those departments may also be acting in an internal audit or risk-monitoring role.

By talking to the finance team, chief compliance officers often walk away with a good amount of data they can start leveraging right away, said Mason Pan, director of data analytics at BDO. Such a partnership could also provide benefits from a cost standpoint, because if compliance and finance can both leverage the same data, they may also be able to share the budget, making it less of a financial ask, he said.

Establishing a relationship with the IT department is important as well. “Take your chief technology officer out to lunch,” Pan said. If the company has a chief data officer, build a relationship with that individual as well.

Begin with a risk-based approach. To avoid creating an over-engineered compliance program and analyzing more data than necessary, concentrate on the highest risk areas first, based on the inherent risks of the business. “It has to be built from a risk-based approach,” Pan said.

“Start small,” Pan added. “Start with a proof of concept … focused on one geography or one business unit for one type of risk that you’re trying to monitor,” such as starting with a two- or three-year historical lookback of data on third-party payments made by one business unit to see if there are any potentially problematic payments being made, he said.

Starting small also will make it easier for compliance to prove to the C-suite and the board the return on investment when requesting to expand a data-driven compliance program, “like live monitoring or doing another historical lookback and focusing on another business unit or another type of risk,” Pan said. “Getting that initial scope right is really critical.”

For companies in the earliest stage of a data-driven compliance program to help spot risks, consider turning to benchmark reports like Transparency International’s annual Corruption Perceptions Index and the TRACE Bribery Risk Matrix, which risk-rank countries by corruption risk. Those reports can help compliance officers “gain insight into where you might want to start looking, where maybe the lowest hanging fruit would be,” Miller said.

Implement a data repository. A data-driven compliance program demands having a tool that pulls data from all systems, databases, and parts of the business. Some companies choose to have their IT team build a data analytics system in-house or maintain a data lake internally, where structured and unstructured data is stored.

Companies that choose this route also typically have data scientists that then analyze the data looking for outliers and trends to identify risks. However, that still requires getting input from the chief compliance officer and forensic accountant to ensure relevant data is being pulled concerning anomalies and trends that may be indicative of things like fraud, corruption or waste and abuse.

Many service providers today enable compliance analytics without IT having to build an on-premise infrastructure, however. The advantage of this option from a compliance standpoint is it puts more direct control in the hands of compliance from a data analytics standpoint, rather than putting it in the hands of IT, which may not prioritize such a project in the same way compliance would, Miller said.

“Data harmonization doesn’t just mean getting the data into one place, it also means making the data understandable,” Miller said. Lextegrity’s Integrity Gateway software platform, for example, applies analytics to a company’s spend and revenue transactions globally, supplemented by procurement data, approval data, and a variety of master data to monitor and detect high-risk transactions in real-time.

Additionally, Lextegrity’s risk library contains dozens of risk, behavioral, statistical, and policy-based analyses that negate the need for data scientists or data engineers. End users also have the ability to drill down even deeper into the data to analyze spend by specific vendors or employees over time, or based on a specific geographic area.

Historically, companies would have to randomly select a group of transactions to audit, but through machine-learning and artificial intelligence capabilities today, companies can analyze all transactions in real-time, applying a risk-scoring algorithm. “That is a defensible approach because the methodology used to score the risk is transparent,” Pan said.

Lextegrity’s transaction monitoring application, for example, risk-ranks every transaction and provides an overall risk score, taking into consideration dozens of individual risk analytic results. Whatever solution a company uses to risk-rank its transactions or geographic regions, that risk score indicates to compliance which areas may require enhanced due diligence, or may even be cause for an internal investigation.

Clean the data. Once the data is in a centralized location, the process of cleaning the data can begin. “The cleaner the data, the less false positives you’re going to get,” Miller said.

A key part of ensuring data is as clean as it can be is to ensure compliance, audit and other end users provide a continuous “feedback loop,” Miller said. For example, maybe a certain key word (e.g., Spa) is creating too many false positives and needs to be tuned and refined, he said.

“Don’t just create it and forget it,” Pan said. “We recommend always looking at the output and giving that feedback to the model. That feedback and iterative process is another absolute critical piece to do it right.”

Demonstrate program effectiveness with data visualization. Data visualization essentially means making large amounts of data visually attractive through the creation of charts and graphs to make it easier for the C-suite and the board to interpret the data and get a visual picture of where there are areas of risk or patterns of risk.

However, a picture is worth a thousand words only if you understand the data. Starting with data visualization would be “like trying to paint the Mona Lisa without having any of the foundational painting skills,” Miller said.

Act upon the data. No data-driven compliance program would be truly effective if compliance, audit, and the business did not act upon what was gleaned from the analytics. This means taking any necessary remedial action, documenting those measures, and further holding culpable individuals accountable for any misconduct that is discovered.