Using Data in Compliance
By Thomas Fox ,The Compliance Evangelist, Author
The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have both made it clear that they expect companies to be more robust in their use of data analytics in compliance programs. This means using data to not only detect and prevent illegal conduct but also in the remediation prong of any best practices compliance program as well through continuous improvement.
In 2019, former Deputy Assistant Attorney General Matthew Miner said that the DOJ will inquire whether compliance departments have access to internal data that could help them identify misconduct and whether compliance officers make adequate use of data analytics in their reviews of companies under investigation. Since at least 2016 in the Foreign Corrupt Practices Act (FCPA) enforcement action involving Key Energy Services, Inc., the SEC has been communicating to compliance professionals of the need for increased use of data and data analytics in any compliance program.
In 2019, the DOJ Antitrust Division released its Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Guidance), which has the clearest statement regarding this mandate. It stated, “Does the company use any type of screen, communications monitoring tool, or statistical testing designed to identify potential antitrust violations?”
For the anti-corruption compliance professional, this means you need to incorporate a statistical analysis into your ongoing monitoring to see if there are any anomalies which could be indications of FCPA violations.
Data, the use of data, data analytics and transaction monitoring by the compliance function was also emphasized in the 2020 Update, where the following questions were posed:
Data Resources and Access
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
This set of queries was not simply phrased in the negative but it requires a company to work to make such data available to the Chief Compliance Officer (CCO) and compliance function. This is a much more stringent requirement than the CCO calling up IT to find out what data might be available to monitor on an ongoing basis. These questions require every company to take affirmative steps to make the data available and get to it the compliance in some type of usable format.
Finally, this inquiry ties back to Part II of the 2020 Update, which requires that a CCO and compliance function “be empowered to function effectively”. The requirement for accessibility to siloed data and its use by compliance will be critical in the business world moving forward. Compliance is truly at an inflection point and the forces of the Coronavirus health crisis, the economic dislocation and now 2020 Update will drive compliance functions towards more and greater use of data in compliance going forward.
All of this government and regulatory focus on data for a compliance program will require many law school trained compliance practitioners to learn a new skill set to meet this mandate. I was therefore reminded of a recent Harvard Business Review (HBR) article, entitled “When Data Creates Competitive Advantage”, by Andrei Hagiu and Julian Wright. In the article they laid out several precepts for using corporate data as a competitive advantage. While the authors have focused on customer data you should always remember that the customers of a compliance function are largely corporate employees (and others), I nevertheless, found their piece useful for the compliance professional.
The first thing to consider is the value of obtaining the data.
Claerly the more data a compliance program receives the more information it has in the form of feedback from its customers. This means a higher value add and the higher the value add, the greater the chance that it will create a lasting edge.
That edge can be in preventing or detecting conduct which could lead to a FCPA violation, it could be part of continuous monitoring, leading to continuous improvement or it could demonstrate to the DOJ and SEC the robustness of your compliance regime.
Next is how soon do you reach a point where additional data no longer enhances the value of the compliance solution?
The more slowly the marginal value decreases, the stronger the solution enhance will be going forward. Fortunately, there is little to no learning drop off for compliance information. The reason is simple, it is a business process and the more data you have and the longer you keep it, the more you can refine your process.
The authors then posed the tangentially related question,
How fast does the relevance of the user data depreciate?
If the data becomes obsolete quickly, then all other things being equal, it will be easier for a rival to enter the market, because it does not need to match the incumbent’s years of learning from data.
As the only rival for an effective compliance program in this scenario is an ineffective compliance program, it should not be a construct to overcome.
How well does the data you mine translate into an actionable solution across geographic and business lines?
Ideally, it will do both, but the difference between the two is important. When data from one area improves the compliance solution for that section of your business, a company can then customize it across regions or business lines. It can also work to create what the authors term “network effects”. It can also work to make the compliance solution or enhancement both quite “sticky” and also provide a key advantage in competing for new customers.
How fast can you turn the data or its insights into an actionable compliance solution or an upgrade?
If you can do so rapidly it can provide faster and greater benefits. But when it takes years or successive product generations to make enhancements based on the data, your compliance solution(s) may well fall by the wayside. This means that competitive advantage from greater data is stronger when the learning translates into more frequent improvements of the compliance solution or enhancement for your current employees rather than simply for future consumers of the compliance solution.
Next, will your data-enabled enhanced compliance solution create true network effects throughout your organization?
When learning from one region or business lines translates into a better experience for other employees throughout your organization and when that learning can be incorporated into a compliance solution fast enough to benefit its current users, your employees will care about adopting the product.
The authors caution that “despite these similarities, regular network effects and data-enabled network effects have key differences, and they tend to make advantages based on the regular ones stronger.”
First, the cold-start problem is usually less severe with data-enabled network effects, because obtaining data is easier than speculation or worse, no data. This means that alternative sources of data, even if not perfect, can significantly increase your chances of success.
Second, to produce lasting data-enabled network effects, the firm has to work constantly to learn from your corporate data. Finally, with a data-enabled network, nearly all the benefits of learning from corporate data can be achieved with relatively low numbers of employees participating.
The bottom line is that it is not if but when you begin to incorporate corporate information into your compliance program to make it more efficient and your business process run more effectively. My suggestion is that you begin now to identify the data you have access to and the data to which you currently do not have access. Find a way to bridge that gap.