Building a Data-Driven Compliance Program

The DOJ’s Monaco Memo guidance from last year presaged the extent to which regulatory authorities are focused on data and expect to pursue action against organizations that fail to implement robust proactive compliance programs. More recently, Assistant Attorney General Kenneth A. Polite, Jr. said at this year’s ABA’s Annual National Institute on White Collar Crime that when evaluating corporate client programs, the government will ask about how companies are preserving and making accessible communications from messaging platforms, where they are hosted and whether they are managed in consideration of privacy and other laws.

In short, data — from a wide range of sources — must now sit at the heart of compliance activities. Yet, simply having access isn’t enough. Compliance officers must have the ability to interrogate their data at a granular level, aggregate it in a way that can be effectively monitored for noncompliant activity, and then report on it when regulators come calling. 

From a data perspective, there are two key challenges underlying these new expectations: metrics and devices. Both of these can and must be addressed through a modern, analytics-led, data-driven compliance program.

Metrics

The Monaco Memo places significant emphasis on the need to measure and report on compensation and incentives as they relate to compliant behavior. Companies will be evaluated in the context of whether they have established “the use of compliance metrics and benchmarks in compensation calculations and the use of performance reviews that measure and reward compliance-promoting behavior, both as to the employee and any subordinates whom they supervise.”

These aren’t details that can be found easily or directly. Measuring activities at such a level will require probing spend on items such as gifts and entertainment. Teams may need to analyze whether any people or activities are grossly exceeding averages, or any other abnormalities that may be indicative of a problem. Such analysis reaches beyond what’s typically included in ongoing compliance monitoring.

Compensation expense implications are only one example. Some organizations may need to set and analyze metrics that inform anticorruption or antibribery activities for reporting to the board and internal auditors. For others, procurement metrics — such as the number of vendors that have exposure to certain types of risk or geopolitical considerations relevant to where vendors are located — may need to be monitored to support third-party risk management.

Each organization will have a unique set of key risk indicators and metrics that will need to be mined and monitored to obtain a sufficient level of insight. The critical point is that unique sources, types and categories of data must be incorporated into the company’s compliance metrics and measurement to assess and understand the extent to which the organization is following mandated policies and requirements.  

Devices and Apps

The latest expansion of prior DOJ guidance also addresses corporate policies related to use of personal devices and third-party tools (such as WhatsApp and other chat applications). This change solidifies a new focus on the need for compliance programs to ensure that relevant information from these sources can be accessed and provided to the DOJ during an investigation.

Notably, the Monaco Memo states, “How companies address the use of personal devices and third-party messaging platforms can impact a prosecutor’s evaluation of the effectiveness of a corporation’s compliance program, as well as the assessment of a corporation’s cooperation during a criminal investigation.”

Organizations will no longer be allowed to turn a blind eye toward the use of chat applications, modern business collaboration platforms and personal devices for business purposes. Information governance policies and actions will need to be implemented to ensure all “off-channel communications” are appropriately governed and that communications taking place via chat applications can be preserved.

Moreover, in addition to information governance controls and preservation around devices and messaging apps, compliance teams will need to bring the data from those sources under the scope of their monitoring program. Data analytics can be embedded around mobile and chat data to monitor for potentially problematic activity and allow for further investigation when needed.

Doubling Down on Data

The concept of data-driven compliance programs is not brand new. A DOJ document from 2020 included a specific point on data resources and access, focused on determining whether “compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”

Compliance professionals understand the role data plays in their program’s success and defensibility. However, what’s changed is that authorities are increasingly sophisticated and focused on granular data metrics and data sources. Prosecutors understand more than ever before the level of detail that can be found within company systems, and the ways in which communications have changed in recent years. Moreover, the need for “timely and effective monitoring” has taken on a new urgency, now being directly tied to a company’s ability to obtain cooperation credit and the severity of any penalties it may face. Thus, as the DOJ and other global regulators become increasingly sophisticated and rigorous in their approach to data, compliance teams must be likewise sophisticated in the metrics they use to interrogate, the analytics they apply and the expertise they rely upon to drive their programs.  
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.