Law360 (June 26, 2020, 4:39 PM EDT) --
This data revolution has allowed for a more scientific approach to analyzing trends and spotting business opportunities. More recently, companies have begun to turn these capabilities toward addressing compliance and regulatory risks.
Big data can be an effective and efficient tool for proactively managing compliance risks. It can help companies identify problematic trends or activities, modify their compliance processes and procedures, and allocate compliance resources in a more efficient manner.
It is now also becoming apparent that the economic and social disruptions caused by the COVID-19 pandemic, coupled with the U.S. Department of Justice's recent recognition of the importance of data analytics in compliance, are likely to accelerate the adoption of these practices and lead them to become best practices.
As discussed below, an organization considering taking advantage of these new practices should proceed deliberately to ensure that it does so effectively, responsibly and in a manner that strengthens its overall compliance program.
Use of Data Analytics in Ethics and Compliance Programs
Companies have access to a variety of data that can be mined for compliance purposes. For a number of years, companies have been moving away from paper processes to electronic-based compliance systems (including systems that allow for electronic approvals, questions and reports). This has created rich data sets that can be analyzed for compliance trends and anomalies.
Other data sources captured by the business may also be very useful, including financial data, sales and procurement data, expense figures and human resources information, among other sources.
Collecting and assessing information from these sources yields valuable insights into a company's risk profile, improving compliance controls by placing more data in the hands of compliance officers making critical decisions about risk.
For example, sales data can be monitored in real time to ensure that anomalies, such as abnormally large increases in order sizes or new customer accounts, can be quickly reviewed and closely monitored. Travel data can be recorded to help the compliance department identify potentially new target geographies or opportunities even before they turn into a sale.
Accessing and analyzing data in this way can also assist with the allocation of compliance resources.
For example, using tendering data, the compliance function of a multinational construction company with widespread operations can determine in real time where to allocate resources by identifying markets with significant activity, a large number of tenders involving government entities, or other similar factors that would increase compliance risk.
Impact of COVID-19
The benefits of utilizing data analytics for compliance are becoming even more pronounced in light of the social and economic impact of the COVID-19 pandemic.
One of the most immediate and direct compliance-related impacts of the pandemic has been the practical effect that social distancing and travel restrictions have had on the ability of compliance personnel to monitor employee activity. Planned compliance audits, site visits and in-person training have been cancelled, postponed or converted to virtual exercises.
Compounding these issues, the move toward remote work necessitated by the pandemic also raises the specter that employees will feel emboldened to push the boundaries of acceptable conduct because they feel protected from the prying eyes of compliance and auditing functions.
As in-person monitoring has become more difficult, companies have had to look into new ways to remotely monitor the activities of employees, including through data analytics.
The pandemic has also altered both the marketplace and operational profile of many companies, often in ways that increase compliance risk. Disruptions to supply chains, for example, have increased the likelihood of both commercial and public sector bribery as competitors vie for increasingly scarce resources.
Likewise, increased difficulties with logistics, particularly customs clearance, also create a greater risk of employees engaging in misconduct in a misguided effort to ensure business continuity. Having the ability to access procurement and logistics data in real time can help alleviate these concerns, providing compliance with a window into high-risk processes that can aid in the timely identification of problematic activities.
Contractions in economic activity caused by the pandemic can also lead to a greater need to obtain new clients or increase orders from existing accounts, which can result in an increased risk of bribery, fraud and related misconduct.
Being able to access data on tendering processes, business expenses, third-party due diligence, donations and sponsorships, and other potentially risk-exposed activities can aid in addressing these risks, particularly as compliance personnel are unable to conduct onsite reviews or in-person interviews.
DOJ Compliance Guidance
The use of analytics in compliance also received a boost from the DOJ's June 1 update to its evaluation of corporate compliance programs guidance. The compliance guidance is designed to aid federal prosecutors in evaluating corporate compliance programs when making charging and settlement decisions and when determining any related monetary penalties or compliance obligations.
The DOJ's most recent update provided additional insight into some of the more nuanced considerations used to assess a compliance program, including a new emphasis on data analytics.
The compliance guidance now encourages prosecutors to consider how a company utilizes its access to data to improve the compliance function. Prosecutors will evaluate whether compliance and control personnel have "sufficient direct or indirect access to relevant sources of data," such that they can timely and effectively monitor and test policies, controls and transactions.
Prosecutors are also instructed to look for any impediments that would limit access of the compliance department to relevant sources of data.
When assessing a company's risk assessment practices, the compliance guidance now also suggests that prosecutors consider whether a company conducts updates and revisions to its risk assessment that include continuous access to operational data and information across functions, as opposed to only periodic reviews that are limited to a snapshot in time.
These data-related revisions to the compliance guidance were among only a few changes in the June update, suggesting that they were a key driver in issuing the update and a key area of focus for the DOJ.
In light of changes caused by the COVID-19 pandemic, and the updated compliance guidance, it is apparent that data analytics is quickly becoming a best practice for mature compliance programs.
But a number of questions remain for companies considering implementing or improving these tools. What, exactly, the DOJ expects of companies will likely be an issue that receives significant attention in the coming years.
There is also still significant uncertainty regarding how to best use data analytics to address some of the enhanced compliance risks presented by the COVID-19 pandemic.
While each organization will have to approach these challenging issues with an eye toward its unique risk profile, there are some overall guiding principles that apply universally:
1. Supplement, don't replace.
Data analytics and other technologies can aid compliance functions, assist with routine tasks and free up compliance personnel to focus on more complex issues, such as performing root cause analyses, understanding anomalies or performing remediation. They can also create efficiencies and reduce certain costs.
However, companies would be wise to avoid the temptation to consider these tools as lower-cost replacements for well-trained and motivated compliance personnel or other foundational elements of a well-functioning compliance program.
Regular training, a strong tone at the top, tailored policies and procedures, and other compliance best practices remain critical. We are a long way off from fully automated compliance departments and compliance programs.
2. Do the legwork; consider the long game.
Companies considering increasing their investment in data analytics for compliance purposes should take time to solicit input from departments and business units that will be impacted to identify potentially useful sources of data and complementary technologies.
Companies should also solicit input from these resources regarding the data sources and technology that are on the horizon to adopt a solution that can be adapted to these expected changes.
3. With big data comes big responsibilities.
Organizations will need to exercise caution in the type of information they collect, how it is collected and how it is protected.
Companies considering more advanced measures, such as using algorithms to identify red flags in email traffic or identify potential conflicts in hiring, will need to consider the implications of potential data privacy and protection laws.
Any company that is collecting and using data must take appropriate steps to protect it, particularly if it includes personal information of employees or third parties or valuable data regarding company operations.
4. One size does not fit all.
As data analytics tools and other technologies become common, there will be a growing expectation that companies — particularly those with mature compliance programs — are using these tools.
There will be a variety of options and models available, and organizations will need to take a close look at their operations, resources, geographic scope, access to different types of information, prior compliance events and other relevant factors to determine how best to implement these new tools.
Michael DeBernardis is counsel and Jonathan Zygielbaum is an associate at Hughes Hubbard & Reed LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact email@example.com.