The role of compliance data analytics in monitorships
Introduction
Government regulators around the world are reinforcing the need for organisations to use data analytics to ensure that compliance programmes are high performing, targeted and risk based. As a result, monitors will evaluate whether companies (1) sufficiently use data analytics to effectively manage, process and analyse data to identify relevant risks and (2) incorporate data analytics into compliance remediation efforts. In this chapter, we discuss regulatory expectations around the use of data analytics in compliance programmes, how to incorporate data analytics into compliance processes, and best practices for how companies can leverage data analytics within the compliance function.
Regulatory expectations
In a 2020 update to guidance for the evaluation of corporate compliance programmes, the US Department of Justice (DOJ) began placing more emphasis on the steps that organisations are taking to manage their data and how they are empowering their employees to access and utilise that data. The guidance states that prosecutors will consider whether an organisation’s compliance function has ‘sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions’. The DOJ has also clearly signalled that there are potential ramifications for companies that choose not to prioritise the use of data in their compliance programmes. Nicole M Argentieri, Acting Assistant Attorney General for the Criminal Division of the DOJ, stated in a November 2023 speech that ‘if misconduct occurs, our prosecutors are going to ask what the company has done to analyze or track its own data’.
Other global enforcement agencies, such as the United Kingdom’s Serious Fraud Office (SFO), have also incorporated the use of data analytics into their initiatives. For example, the SFO’s guidance on deferred prosecution agreements (DPAs) states that ‘A DPA may require a Company to implement a compliance programme and/or to make changes to an existing compliance programme. [This] could include any specific requirements deemed necessary and proportionate such as the use of data analytics to test compliance controls and behaviour.’
In line with the guidance from global regulators, we have observed a trend involving a direct linkage between recent regulatory prosecutions that resulted in more lenient settlements and the proactive use of data analytics in compliance programmes. For example, the DOJ press release for the Albemarle investigation states that the company’s penalty was reduced by 45 per cent off the lowest end of the applicable fine range, in part due to ‘[the use of] data analytics to monitor and measure its compliance program’s effectiveness’.
Given the recent focus from global regulators, it is evident that organisations must keep data analytics front of mind when designing, implementing and evaluating compliance programmes.
Enhancing oversight with data analytics
There are myriad opportunities for companies to leverage data analytics to enhance their compliance programme. This section will focus on the compliance areas where we have observed that the use of data analytics is most impactful: risk evaluation, monitoring and testing, and communication and reporting.
Evaluating risk
In today’s data-rich environment, it is prohibitively expensive and difficult for compliance departments to manually review every transaction to detect potential misconduct. To ensure that time and resources are directed at the areas more relevant for the company, data analytics assist organisations in more quickly targeting the activities and transactions of highest risk. A company may use various methodologies, ranging from basic business intelligence and reporting to more complex predictive and prescriptive analytics applied to a variety of structured and unstructured data formats (e.g., databases, spreadsheets, text documents, images, audio and video). In the following paragraphs, we discuss how companies may leverage data analytics to evaluate risk and prioritise action, as well as what monitors would expect to see in their evaluation of a company under monitorship.
Risk assessment process
A company’s risk assessment aims to identify, evaluate and rank an organisation’s legal and regulatory risks, as well as the corresponding mitigating measures. Risk assessments are key to ensuring that efforts relating to the improvement or transformation of a compliance programme are executed in a targeted and efficient manner.
At the beginning of a risk assessment, data analytics can facilitate the identification of potential risks by allowing compliance teams to analyse vast amounts of data, such as transactional data or historical compliance data, to uncover patterns, anomalies and trends that signify these risks. For example, profiling historical allegations and investigations data can highlight areas of potential risk and control gaps.
During the later stages of risk assessments, company personnel can use data analytics to automate a company’s gross and net risk calculations using algorithms. Further, compliance teams can combine data analysis and visualisation techniques to automate the creation of risk summaries when reporting to management or communicating progress on compliance initiatives, which helps management to digest and synthesise information to draw actionable insights. For example, compliance teams can create an interactive dashboard to visualise gross and net risks on a heat map and provide functionality to drill down on specific risks to assess specific details.
The compliance team will then use the results of the risk assessment to guide subsequent compliance-related activities (e.g., implementing additional controls or redesigning existing procedures).
Establishing priorities in the compliance function
Companies should use risk assessment results to prioritise compliance-related efforts and reviews (i.e., compliance audits) on the geographical locations, business partners and transaction types with heightened risk. In order to identify transactions in those high-risk areas that require further review, a mature compliance function will then rely on data analytics to analyse vast amounts of data stored across a variety of systems and captured in formats that are difficult to cross-analyse. This transactional data review can be used to prioritise transactions according to related risk and provide more information about the nature of the company’s higher-risk transactions. For example, if analytics identify significant gifts and hospitality activity in a specific subsidiary, the company should ensure that their anti-bribery and corruption control environment in that subsidiary adequately mitigates the risk.
Monitor’s evaluation
Monitors may not expect every aspect of the risk assessment process to incorporate sophisticated data analytics. However, they will focus on how a company approaches risk assessments, in particular what sources of information and types of data are used and what kind of analyses were performed to identify and evaluate areas of greater risk. Companies are expected to take into account their operational activity when designing their compliance programme, to ensure that it is in accordance with the company’s risk profile as opposed to using off-the-shelf compliance programmes that are likely to end up with significant shortcomings in relation to risk mitigation. A monitor’s evaluation of the risk assessment may also include testing to assess whether the prioritised areas accurately reflect the actual risk profile of the company.
Ongoing monitoring and testing
Regulators expect companies to have processes in place to continuously perform monitoring and testing procedures to assess for compliance with both regulatory requirements and internal policies. As previously highlighted, it is not feasible, due to the time required and the associated cost, to manually review large amounts of information in data-rich environments. Data analytics support this process by allowing for rapid combing of data sets to draw insights and identify areas for further testing, such as through flagging specific transactions and communications that may be indicative of an intentional circumvention of controls.
Ongoing monitoring
‘Ongoing monitoring’ refers to the embedded surveillance procedures within a company aimed at different elements of a company’s activity, including operational transactions, processes or communications. This type of analytics is particularly useful for companies that operate within complex regulatory frameworks, such as financial services or telecommunications organisations, which require live review of vast amounts of data to identify patterns or flag issues. For example, sophisticated compliance teams in the financial services industry will rely on data analytics to provide real-time analysis of transactional data and systematically flag anomalies or deviations according to pre-established compliance criteria. Companies can take similar approaches with internal and external communications, such as continuously screening for certain terms or phrases associated with higher compliance risks, such as ‘manipulation’ or ‘override’. To ensure higher rates of success, compliance teams should calibrate the criteria used in monitoring and detection procedures to align with the company’s current risk profile. The criteria should be continuously updated with relevant findings from internal investigations, regulatory or industry best practices, internal audits and risk assessment results.
Testing
While ongoing monitoring focuses on enhanced oversight, companies should also leverage data analytics to test the adequacy and reliability of compliance measures. Testing assesses the design and operational effectiveness of specific controls and processes within a compliance programme. For instance, compliance teams can seek to verify whether approvals were obtained by an employee prior to incurring expenses relating to gifts and hospitality, as required by the company’s internal policies.
Data sets are frequently too large to test the complete population, so companies may utilise a sample approach. In this situation, companies must first establish sampling criteria to ensure that the testing population includes representative samples, and then design testing steps to assess the effectiveness of the compliance procedures. Companies with operationally mature compliance programmes will likely use data analytics to establish the sampling criteria and make sample selections. For example, data analytics can be used to identify patterns and efficiently understand the universe of operational transactions. An organisation can then tailor the sample selection to align with its risk profile.
Monitor’s evaluation
Monitors will evaluate how data analytics tools are integrated into the company’s process for monitoring and testing compliance requirements. Their review will also assess the effectiveness of these tools in identifying real-time deviations from set compliance standards. More specifically, the monitor will be concerned with the ability of these tools to provide prompt alerts for potential breaches, how alerts trigger subsequent review, and how corrective actions are initiated and implemented, if needed. Companies can also expect monitors to evaluate the company’s approach to testing. In particular, the monitor will determine whether the company’s testing methodology – including sample size and selection – scope of review, testing steps and criteria, and frequency of testing is appropriate, given the company’s risks. Ultimately, the monitor will want to obtain sufficient assurance that companies have implemented stable and rigorous systems with procedures that allow for vigilant and unobtrusive compliance oversight.
Communication and reporting
We have discussed how data analytics offer a valuable means to uncover insights in large volumes of data that would otherwise be impractical to review. A crucial next consideration is how to effectively share these insights with stakeholders. Compliance teams can also leverage data analytics here to support effective communication through documentation, visualisation and report automation.
Streamlining reporting processes
Companies with sophisticated compliance programmes will use data analytics and visualisation to strengthen reporting to management and the board on compliance-related items, such as the company’s risk profile, tracking attestations and completion of required compliance trainings, etc.
Data analytics can also facilitate the documentation and reporting following the completion of compliance procedures. The time required to adhere to compliance procedures (e.g., the preparation of documentation and reports such as due diligence reports or reports to risk management committees on status of identified risks) is often raised as a concern by customer-facing employees. Leveraging data analytics to assist in completing these steps can minimise the impact and help ensure buy-in from employees throughout the organisation. Required reports can be automated to ensure that user input is kept to a minimum, the second line of defence receives more immediate feedback, and reports are standardised to facilitate review by the second line of defence. Project managers reporting on risk management can also benefit from automated risk management tools. For example, characteristics such as revenue amount, customer and nature of their projects are provided as inputs. Any outputs (e.g., updates to a business unit’s risk profile) are fed directly to relevant stakeholders and incorporated into databases that can later be queried, as needed.
Monitor’s evaluation
A company’s ability to enhance communication using data analytics is an important area of focus for the monitor due to its potential to enhance transparency and facilitate comprehension of the intended message, which, in turn, reinforces the culture of compliance within the organisation. The monitor will assess how the work of compliance teams is reported to management, the content of such reports, and how the company’s systems and processes are used to support management’s decision-making.
Data analytics best practices
The monitor will deliver recommendations for the company to implement throughout their evaluation of a company’s compliance programme. Aligning with regulatory expectations regarding the use of data analytics, it is reasonable to expect that the monitor’s recommendations will include some items relating to these capabilities, either to enhance compliance effectiveness or to automate existing procedures. In this section, we discuss some best practices for managing data, as well as how companies can overcome some of the most common challenges in applying data analytics to compliance, in order to better address these monitor recommendations.
Technology
In corporate compliance, technological resources must be aligned with operational objectives. This requires a collaborative approach between the compliance and the technology departments, including those tasked with data governance. Companies should engage in a periodic review of their technological infrastructure on an annual basis to determine whether existing systems are adequate for data storage and analysis, and to ensure that they are able to facilitate compliance mandates and pre-empt issues relating to future system scalability and maintainability.
The selection of technology platforms and tools depends on several factors, including the volume of data accrued by the organisation, the types of data and the intended analytics. More generally, it is a best practice to gather data for compliance into a centralised repository (e.g., a data warehouse), from where employees with the appropriate permissions can directly access the encrypted data from their analytics software. Building a ‘single source of truth’ streamlines data management and reinforces data integrity and security.
Internal resources
Alongside proper technology, building robust internal resources is crucial for the sustainable success and adaptability of an organisation. Companies tend to provide compliance teams with data analytics capabilities in one of two ways. Some companies use data analytics resources from other departments, such as IT or an organisational data or analytics group, to provide support on an ad hoc basis through requests from the compliance team. Other companies hire data analytics experts or train their compliance staff in data analytics and use IT as more of a core technology support, similar to the rest of the organisation. The latter option is generally preferred. Optimally, compliance departments should have their own data analytics-trained team members. This helps bring key insights into the compliance team, ensures continuity of knowledge, improves alignment with compliance objectives and reduces competition for resources in this key business function.
Data
Data inventory
A comprehensive data inventory is the core of any data analytics initiative within a compliance framework. This foundational step involves cataloguing all data and analytics used and related compliance processes. Aligning this inventory with the organisation’s overall risk assessment can help determine areas where data analytics are underutilised.
Data quality
In cataloguing the data sources, the data inventory should also assess the data quality and integrity of each source. Reliable data is crucial for effective analytics; therefore, the consistency, accuracy and completeness of the data being used should always be captured and assessed. Additionally, a company must consider whether multiple data sources are involved for each process and, if so, how easily they are integrated. For organisations that are in the initial stages of their data analytics journey, it is often the case that data used by compliance will be scattered across multiple systems. As a company’s compliance data analytics programme matures, however, source data is often gathered into a single repository from where it can be accessed by the compliance team with close to real-time updates.
Record digitisation
Sometimes, there may be areas of interest to compliance for which there is currently no organised digital system of record. For example, there may be subsidiaries that are keeping paper records, or a department’s records may be kept in separate monthly spreadsheets. To enable proper compliance data analytics, these sources must be digitised and stored in a way that makes the data easy to access across time periods. Additionally, processes must be put in place to keep these records digital going forward. This will allow algorithms to process the data and help identify risk and it will also aid in any sampling selection and compliance review processes.
Data privacy
In cross-border and multi-jurisdictional enterprises, it is inevitable that there will be data privacy and management considerations to ensure that data collected, reviewed and analysed supports the overall goals of compliance. For instance, General Data Protection Regulation legislation brings additional data management challenges where relevant data relates to residents of the European Union. In these cases, it is important to consider what data will be consolidated, where it will be stored and where it will be reviewed. Companies should work closely with their legal counsel to determine the course of action that is right for them and their operational jurisdictions.
Benchmarking
Benchmarking against industry peers is a critical strategy for keeping up with the changing compliance landscape. It involves comparing an organisation’s compliance and data analytics practices with those of similar entities in the same industry. The ultimate goal of benchmarking is to identify best practices and emerging trends and then to integrate those into an organisation’s compliance programme. It is important, however, to tailor these practices to fit the specific context and needs of the organisation.
Understanding industry-specific nuances is vital in benchmarking efforts, ensuring that comparisons are relevant and insights are actionable, including relevant compliance risks, legislative requirements and data considerations. For instance, financial institutions grapple with stringent anti-money laundering regulations, while healthcare organisations must navigate strict controls regarding interactions with healthcare practitioners. Industry-specific conferences and workshops – especially those with a compliance focus – are a key place to gain insights directly from peers and experts, and industry-specific publications, compliance surveys and industry reports can also provide a wealth of information.
Feedback mechanisms
Companies operating compliance programmes with strong feedback mechanisms will perform better in the long run. After incorporating observations – from audits, risk assessments, and compliance monitoring and testing – into annual compliance planning, companies should then determine priority actions according to those inputs. This feedback process should also scrutinise the methodology used to refresh risk profiles and modify internal controls based on analytical findings. Additionally, compliance and data analytics teams should update data analytics algorithms and processes based on direct feedback from compliance reviews.
Continuous improvement
Continuous improvement, especially in the area of data analytics, is key to ensuring that a compliance framework remains efficient, effective and relevant. The underlying philosophy is a commitment to a proactive, forward-looking approach. This phase involves regular evaluation and enhancement of the compliance processes to adapt to new challenges, changes in the business environment, regulatory demands and advancements in technology. For instance, over time, this might include adopting more advanced data analytics software integrating artificial intelligence (AI) for machine learning and predictive analytics or enhancing data security measures.
Conclusion
The integration of data analytics in compliance programmes offers benefits across multiple compliance functions, from improved risk identification and proactive monitoring to better decision-making. As companies continue to leverage existing technology and look to incorporate emerging technologies (e.g., AI and machine learning) into their compliance processes, it will be critical to adapt current compliance frameworks. While, in theory, it may be easy to envision, for example, how incorporating predictive analytics capabilities and automating certain compliance processes could improve the compliance team’s outcomes, companies will still need to ensure that integrating these technological advancements produces the intended results and meets stakeholder expectations. Embracing technological advancements responsibly can help organisations stay ahead of the curve when it comes to meeting the ever-evolving regulatory requirement landscape while maintaining the integrity of their compliance processes.
Endnotes
Jenna Voss and Samantha Hsu are partners and Andrew Petryszak and Jorge Lopes are associate directors at Forensic Risk Alliance, Inc. The authors thank Anushka Ram, a former director at Forensic Risk Alliance, Inc, and Shivam Patel and Luke Swallow for their contributions.
‘Data analytics’ refers to the systematic computational analysis of data using techniques and processes aimed at extracting meaningful information from raw values.
US Department of Justice, ‘Evaluation of Corporate Compliance Programs’, March 2023 (cited 15 January 2024), at https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline.
US Department of Justice, ‘Acting Assistant Attorney General Nicole M. Argentieri Delivers Keynote Address at the 40th International Conference on the Foreign Corrupt Practices Act’, 29 November 2023 (cited 10 January 2024), at https://www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-keynote-address-40th.
Serious Fraud Office, ‘Deferred Prosecution Agreements’, October 2020 (cited 12 January 2024), at https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for -corporates/deferred-prosecution-agreements-2/.
US Department of Justice. ‘Albemarle to Pay Over $218M to Resolve Foreign Corrupt Practices Act Investigation’, 29 September 2023 (cited 10 January 2024), at https://www.justice.gov/opa/pr/albemarle-pay-over-218m-resolve-foreign-corrupt-practices-act -investigation.
The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union and put into effect in May 2018 that imposes obligations onto organisations that target or collect data relating to people in the European Union.