How do compliance teams in major corporates keep pace with the exponential growth of company data and the wealth of regulation they face? And in the face of this, how do they maintain an effective compliance programme robust enough to mitigate risk and promote ethical practices?
Well, the U.S. Department of Justice (DOJ) has something to say about that, in its hefty 25-page guidance document, new for 2024: "The Evaluation of Corporate Compliance Programs" (the Guidance1). The Guidance underscores the importance of embedding a data analytics programme into a compliance programme to deal with the twin perils of oceans of data and increasing regulatory scrutiny.
In this article we consider the role of data analytics in the face of the DOJ Guidance and the tests and monitoring strategies companies can employ. Data visualisations are a hugely beneficial method of conveying key findings to compliance teams and senior management and we will endeavour to explain why.
Why Data Analytics Matters
The question of whether a compliance programme is effective in design or in practice is at the heart of the Guidance. The conclusion reached is that, without properly understanding the company's data, the programme is not effective. This means that relying on the core policies and procedures you would expect to make up any robust compliance programme is not enough – data analytics tools are required to monitor risks, identify red flags and attempt to stop misconduct in real-time. The Guidance is clear that data analytics is necessary to proactively identify problems, enabling the company to stem the bleeding and embed learnings to continuously improve the programme.
Proactive Monitoring and Testing
Analytics allows compliance teams to run tests and look for anomalies across huge data sets. We communicate electronically constantly – emails, chats, messaging – and we generate vast quantities of data across a plethora of apps and systems throughout the working day. Manually monitoring these communications and inputs is impossible and policies and procedures can be bypassed by rogue employees. It follows that automating checks to identify outliers and unusual activity makes perfect sense. By doing so, companies can identify patterns of behaviour or be alerted to potential problems, such as bribery risk, sanctions breaches, or fraud before they emerge.
Risk-Based Approach
It is a tired adage, but one size does not fit all. The Guidance indicates the DOJ's view that a company should develop its compliance programme to respond to the specific risks it faces – be that exposure to specific industries, geographies, or product types – and to the complexity of its operations. Again, data analytics can assist here, with data driving risk assessments, giving a company a retrospective breakdown of its activities, and highlighting potential areas of concern. These risk assessments can drive a monitoring programme that, once operational, will flag problems in real-time and can be revisited and tweaked as new threats emerge – for example, changes to legislation, changes to sanctions regimes, or on entering a new market.
Key Data Analytics Tests for Compliance
The power of data analytics is in its ability to tell stories about data that help you to see through the morass and focus on the trends and transactions that present your greatest problem. In light of the Guidance, the following examples should be considered by any company looking to build a best-in-class compliance programme:
- Expense Anomaly Testing
Put simply, these are tests run across submitted expense claims to look for unusual transactions, or patterns of transactions that could be indicative of fraud, bribery, or inadvertent regulatory breaches. Algorithms are designed to review expense reports, corporate credit card statements, and underlying invoices and receipts to look for outliers or items breaching company policy.
- Third-Party Payment Monitoring
This test is designed to monitor payments to suppliers, agents, or other third parties. Historic enforcement shows that channelling funds to third parties are the number one route for companies to make illicit payments, including bribes and facilitation payments. Algorithms are designed to consider individual payments or patterns of payments for indications of impropriety. A sophisticated programme can cross-reference higher-risk transactions (or escalate for manual cross-referencing) with supplier contracts, Know Your Customer (KYC), or similar due diligence records.
- Anti-Money Laundering Monitoring
It is now expected that companies consider money laundering, sanctions, and terrorist financing risk in their day-to-day operations. Rule-based algorithms are designed to detect financial transactions that may cause breaches in those three areas. This will include identifying unusual transactions or patterns of transactions, such as payments to offshore accounts to accounts in high-risk jurisdictions or to individuals or entities on proscribed lists.
- Invoice and Procurement Fraud Detection
The objective of these tests is to identify individual invoices or vendors that could indicate fraud. Algorithms will consider whether invoices corollate to purchase orders or underlying contracts with suppliers and whether payments are being made to accounts consistent with invoices and other communications with the supplier. Anomalies would include payments to individuals, changes to account details, or payments being made to a country that does not match the supplier's location. These tests can also be used to identify errors such as duplicate or overpayment.
- Employee Communication Analysis
This test is more controversial and jurisdiction-dependent – data protection laws differ depending on the country, presenting a particular challenge for multi-national companies looking to enforce a consistent approach across all employees. Algorithms are designed to proactively monitor internal communications – think email and collaboration platforms like Teams or Slack – for indications of unethical behaviour. Considerations will include terminology or sentiment connected to bribery or fraud, with analysis of keywords and/or natural language processing being deployed. Whilst this may be a controversial monitoring tool to use, similar tools are very frequently the basis of reactive investigations once an issue of concern emerges.
Monitoring and Continuous Improvement
Proactive monitoring of this type positions the company to mitigate risk and identify problems early. Automated alerts enable the compliance team to react and remediate, and to identify false positives so that algorithms can be tweaked.
Importantly, it also positions the company to adapt to emerging risks and hone the compliance programme as a result. As a company evolves, enters new markets, or otherwise grows, it should consider whether thresholds should be adapted, or monitoring approaches changed. Regulations also change, as does the macro-economic environment, and to continue to meet the DOJ expectations the data analytics framework must evolve too, with new tests and approaches applied.
One crucial area in the future of proactive compliance monitoring is the use of Artificial Intelligence models enhanced with embedded data analytics, which analyse large datasets and detects threats. The Ankura Team is currently testing natural language modelling across petabytes of data from multiple data sources to identify anomalies. This technology has the potential to revolutionise compliance by identifying risks and patterns previously difficult to detect. However, as it is still evolving, relying on this technology alone poses risks and results must be carefully evaluated to ensure accuracy and adherence to regulatory standards.
Telling the Story - Visualisation
By now, I hope it is apparent that analysing vast quantities of data, from disparate sources, is possible. As is obtaining actionable results. But how best to convey the findings in a way that is easy to digest for compliance teams and senior management?
The answer is visualisation – the use of dashboards, charts, trend graphs, and heat maps to convert findings from data into understandable insights.
- For compliance teams – readily available
tools such as Tableau and Power BI allow for visualisation of data
sets and results. These can be made available to compliance
officers, who can review patterns and anomalies that indicate
policy violations or the frequency of potential compliance
incidents. This may point to departments, regions, or jurisdictions
which present heightened concern and enable resources (for example
internal audit visits) to be better targeted. Ideally, dashboards
should be provided to them in a form in which they can drill down
and interrogate areas that pique their interest.
- For senior management and audit committees – visualisations aim to simplify large and complex data sets, distilling and highlighting critical information. For senior leaders, dashboards can enable them to quickly comprehend the company's compliance "health" and consider whether intervention or additional resources are required. Audit committees and boards can consider how the organisation benchmarks against its peers, industry standards, or regulatory regimes – assisting them with the proper discharge of their obligations.
The Role of Forensic Accountants in Analytics Programs
Forensic accountants are experts at detecting fraud, bribery, and misconduct, and those skills are valuable when designing and implementing data analytics programmes, not least because forensic accountants have a detailed understanding of the underlying business processes which can give rise to risks.
These skills and experiences position forensic accountants to tailor programmes to the operating environment of the company, through a mixture of risk assessment and lived experience. Examples might include identifying appropriate thresholds for payments that are proportionate to the jurisdictions the company is present in or building tests to look for patterns of bribery or fraud that are sector-unique.
Forensic accountants are also important when building systems for continuous monitoring, enabling outputs from data analytics tests to be reviewed in real-time, or through near real-time audits. Forensic accountants can interpret findings, consider red flags, and judge the effectiveness of analytics frameworks. By feeding back to the data scientists designing the algorithms, tests can be honed and the framework improved. This approach aligns with the DOJ's focus on continuous improvement.
Conclusion: The Benefits of Data Analytics and Visualisation
The integration of data analytics and visualisation into compliance programs offers numerous advantages. For compliance teams, these tools streamline the detection of potential misconduct, enhance monitoring capabilities, and support more targeted investigations. For senior management, visualisations provide a clear, actionable overview of compliance health, ensuring that risks are managed effectively across the organisation.
Data analytics, combined with forensic expertise, not only helps companies stay ahead of potential violations but also demonstrates to regulators that they are committed to maintaining robust, proactive compliance frameworks. In this era of heightened regulatory expectations, the ability to leverage data is no longer optional—it is essential.
Footnote
1. https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.