The age of data analytics in corporate compliance programs and regulatory enforcement is here.
Not long ago, the use of data analytics and artificial intelligence by corporate compliance departments was a compliance luxury, the preserve of a few well-heeled international conglomerates. Today, these technologies are routinely implemented for diverse corporate initiatives.
Understanding how regulators view the use of data analytics in driving compliance and how data analytics can inform effective compliance programs is critical to ensuring that companies of any size can rise to meet the moment.
So: what is data analytics, and how can it be used to enhance your compliance program?
Broadly speaking, data analytics is the use of quantitative data points to identify trends, and deviations from trends, over time. The process of applying data analytics to enhance organizational compliance looks different from organization to organization, and even between business units within the same company. While the data points you collect can vary greatly, they will often include certain key categories of information, like the number of employees accessing a policy, as well as when, and from where in the world, they access it; the completion rates and subject matter fluency of each business line for compliance trainings; the utilization of any confidential reporting or whistleblowing procedure and the nature of reported claims; reimbursement requests for business-adjacent expenses, like gifts, entertainment, and donations; and, the timing, volume, and size of company purchases or sales.
Data analytics and enforcement opportunities
While data analytics are not new, US regulators seemed to realize their full potential in 2019, when the CFTC, SEC, and DOJ levied a multimillion-dollar fine against a significant financial institution for manipulating the precious metals markets using a practice called spoofing.
The regulators’ initial investigation in this case ended in 2013 after hitting a brick wall. However, once regulators obtained access to cutting-edge data analytics tools, they were able to reopen the case. The renewed investigation using data analytics allowed regulators to unravel the conduct and resulted in a fine of $920 million and the indictment of several individuals.
Since that time, the government has made no secret of its intent to use data analytics in myriad other contexts - for example, to detect accounting and disclosure violations in the securities context and to identify Medicare billing fraud.
Data analytics and effective compliance
Compliance programs in all their facets continue to be a focus of the Department of Justice. For instance, in March, Assistant Attorney General Kenneth Polite announced a new policy under which the DOJ would begin requesting that chief compliance officers of companies entering into certain types of settlements certify, among other things, that the company’s “compliance program is reasonably designed to detect and prevent violations” of the law.
AAG Polite’s comments, and subsequent remarks by other senior DOJ officials, underscore the DOJ’s long-standing criteria for evaluating the effectiveness of compliance programs – ie, whether the program is well-designed, the compliance department is adequately resourced and empowered within the organization, and the program is effective in practice. The use of data analytics in a corporate compliance program has implications for each of these inquiries.
With respect to the first of these criteria – whether a program is “well-designed” – there is no one-size-fits-all requirement that compliance programs use data. Nevertheless, the DOJ – and other regulators – routinely emphasize that a “well-designed” program must be risk based and informed by operational data and information across functions – which effectively makes the use of data analytics a required practice. In short, a compliance program is unlikely to be considered “well-designed” if it does not regularly and actively incorporate data generated across the business into its evaluations of compliance risks. Data must be more than collected – it must be synthesized and used to inform compliance priorities.
The rise of data analytics also has implications for the second criterion – whether a program is adequately resourced and empowered within the organization. Even if a compliance program is designed perfectly, a company is unlikely to get full credit from the DOJ if, for instance, the compliance team is siloed from the business units where the data informing compliance decisions is generated. In other words, consulting the data is not enough. The compliance team must have transparency into who the data is collected from and the way it is collected, and it must have the authority to act on whatever conclusions might be drawn from the data as well as routine access to key decision-makers to communicate the results of compliance data analyses.
In practice, creating an adequately resourced and empowered compliance team may, in the data analytics context, require changes to the ways organizations provide internal access to key streams of data. Compliance and control personnel are expected to work directly with the organization’s accounting and information teams, as well as other key stakeholders, to identify important compliance-related data and make it easily available to control functions. In addition, regulators increasingly appear to be expecting organizations to integrate data and systems locally following mergers, acquisitions, or other impediments.
Finally, it will become more and more difficult to imagine a compliance program that a compliance officer can certify as “effective in practice” and reasonably designed to prevent and detect misconduct without relying on the regular use of at least some data analytics to assess risk, test the efficacy of controls, and inform real-time decision-making. At the most basic level, data can be consulted to identify and neutralize potential compliance trouble spots. But data analytics has the potential to do much more. Indeed, data can help not only identify risks but prioritize compliance threats, inform investigations, and assist in measuring the results.
Artificial intelligence – the next wave
The advent of neural-net artificial intelligence (AI) empowers companies to not only have better access to their data, but also to assess it quickly and more effectively. Neural-net AI has the ability to build neural pathways creating both a memory for specific compliance risks and a more intelligent ability to extrapolate similar problems in non-identical behavior. This allows businesses to harness the power of data analytics to achieve a more effective compliance capability.
By using neural-net AI, it is possible to automate a large swathe of compliance monitoring processes. This can make monitoring and investigatory work quicker and cheaper. Critically, however, it also makes detection quicker and cheaper – and can be used proactively to identify potentially problematic conduct before it becomes a major problem.
Using AI as an effective form of monitoring for problematic conduct creates huge benefits for a compliance program. It can serve as an early warning system to identify problematic conduct, giving companies the best opportunity to spot and address problems before they spiral out of control. It also lets employees know that a particular issue is taken seriously and – in a high-risk section of a business – that monitoring via AI will help to adjust the behavior better than training alone.
Monitoring can also demonstrate the effectiveness of compliance measures that have been put in place to identify what has worked and to help adjust and improve compliance programs over time. For instance, DLA Piper has built its own award-winning neural-net AI service, Aiscension, which detects signals of cartel and bribery behaviors. Aiscension was developed in conjunction with Reveal and pretrained across DLA Piper offices with access to a wide volume of training data. AI tools like Aiscension, and others on the market, can be proactively deployed by companies to improve compliance oversight by facilitating early detection of potentially problematic conduct. Such deployment must be done thoughtfully and with an eye towards de-risking the Company’s operations.
Key takeaways to building a data-driven program
Data analytics and AI have enormous potential to assist savvy compliance officers to assess the effectiveness of their programs, identify gaps and address red flags early on, but building a data-driven compliance program that meets the standards set by the government can be labor and resource intensive – two critical elements that are frequently in short supply for most compliance teams.
For businesses of any size, though, data analytics can help fill these gaps, and the initial steps are the same. Simply getting started is often the hardest step.
Begin by assessing what data is available to the compliance team and evaluating the potential uses of analytics in light of the organization’s size, geographic presence, level of available resources, business model, and overall risk profile. Companies should seek to employ the forms of data analytics most relevant to their business and identified risks. Rather than getting overwhelmed by the variety of potential sources and uses of data, an organization should consider the data it already collects about its business practices, the quality of that data, where that data is housed, and how best to obtain access. This may be especially important for companies with fewer resources to devote to developing analytics programs from scratch. It is often easier to fine-tune data that is already collected than to create entirely new reporting streams.
Once priorities are set and pre-existing reporting structures identified, organizations have a number of choices, ranging from third-party tools and vendors to outside counsel, to help them synthesize, parse, and understand the trends emerging from the data. Start by looking at data underlying known risk areas or issues and build and refine the analysis from that starting point, before turning the analysis to more nuanced issues. Refining your data analytics strategy takes time, and that strategy will necessarily evolve and improve as trends emerge.
In sum, the use of data has found its way to corporate compliance. Compliance professionals for organizations of any size should give serious consideration to how analytics and AI can be deployed to augment, inform, and streamline compliance programs. Doing so is no longer a luxury – but an expectation of regulators that must be met.
Learn more about data analysis and your compliance program by contacting any of the authors or via ComplianceTeam@dlapiper.com.