Intelligently Evolving Your Corporate Compliance Program

Background

In June 2020, DOJ updated its guidance on the Evaluation of Corporate Compliance Programs. The guidance, which was first issued in 2017 and updated in 2019, lays out a series of factors for prosecutors to consider when assessing the effectiveness of corporate compliance programs as part of making charging decisions and negotiating resolutions. The overarching theme of the updated guidance, which provides a roadmap for designing and implementing compliance programs, is a renewed emphasis on the substance and adequacy of resources made available to the compliance program. It also reflects a focus on the need to both continually assess whether the compliance program is working, and use data in a meaningful way to assess the program.

Leadership in DOJ’s Fraud Section has “embraced, wholesale, the proposition that data can and does serve as a significant indicator of fraud, foreign bribery, and other white-collar offenses.” In November 2020, at the Latin American Compliance Conference, Acting Deputy Assistant Attorney General Robert Zink emphasized the premium that DOJ is placing on data analytics. Zink explained that DOJ itself uses data analytics in the Foreign Corrupt Practices Act, healthcare fraud and securities fraud spaces to identify leads and potential misconduct. Zink went on to say that to the extent a company has “ready access to data that could be probative of misconduct, [DOJ] would hope and expect they would avail themselves of the opportunity to mine that data to figure out whether bad stuff is happening.” And so, Zink concluded, “companies that invest and take the time to invest and develop robust data analytics programs are certainly viewed favorably” by Zink and other prosecutors evaluating corporate compliance programs.

Overview of DOJ’s Updated Guidance: Emphasis on Data Collection and Analysis

DOJ’s guidance for corporate compliance programs asks three key questions, each of which companies should answer affirmatively to satisfy the Department’s expectations:

1. Is the corporation’s compliance program well designed?
2. Is the corporation’s compliance program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

In weighing whether a compliance program is adequately resourced and empowered to function effectively, the guidance instructs prosecutors to assess whether compliance and other control personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” The guidance also directs prosecutors to determine whether any “impediments exist that limit access to relevant sources of data,” and, if there are, what the company is doing to address those impediments. The Department views this in light of whether a compliance officer has sufficient autonomy and adequate resources: just like having appropriate seniority, access to the board of directors, and an appropriate team, compliance officers must have a view into the business through its data.

In assessing whether the compliance program works in practice, prosecutors are again guided to evaluate a compliance program’s use of data. DOJ has explained that an effective compliance program will improve and evolve along with the changing risk profile of a company’s business, environment, customers, laws and standards. A key way to ensure continuous improvement is to analyze corporate data and data from the compliance function itself, in conjunction with other methods of risk assessment and control testing.

Applying DOJ’s Guidance

In practice, the DOJ’s focus on the use of data means two things for a compliance program.

• First, compliance officers must have access to the right kinds of data, and they must have the technical capability to do something with it.
• Second, a compliance program, according to DOJ’s guidance, must timely and effectively monitor adherence to its policies, its controls and any transactions. It should also use this data to continually understand the risks faced by the company.

Basic email monitoring tools often do not provide the level of visibility into the business that a compliance officer needs. But, it often is impracticable and cost-prohibitive to set trained human eyes on large swaths of corporate data in the ordinary course of business. Using search terms often misses information in this broad context and still requires a significant manual review effort. The updated guidance admonishes compliance officers that they should address impediments that prevent them from meaningfully accessing and using company data, and there are tools that can facilitate overcoming these challenges.

Using Artificial Intelligence

In 2020, roughly 306.4 billion emails were sent and received worldwide each day, and that number is predicted to reach 319.6 billion by 2021 with further increases for the foreseeable future. In addition to the ever-increasing number of emails, there has also been extraordinary growth in the use of collaboration platforms to support remote work during the COVID-19 pandemic. The number of daily active users just for Microsoft Teams increased from 44 million in mid-March 2020 to 75 million in late April to 115 million by October. The sheer number of communications presents a complex challenge for compliance initiatives.

Artificial intelligence (AI) helps address these problems. AI is able to analyze the data and extract a wealth of information quickly, without the need for humans to read an impossibly large number of documents or guess which search terms may be effective. Instead of spending time looking for the proverbial needle in a haystack or relying on a team of people to manually review documents to understand the story in the data, AI can expose that information quickly. When compliance teams use AI tools, they not only gain an early understanding of facts in the documents, they can also see what isn’t in the data.

How to Make Artificial Intelligence Work for a Compliance Program

Without any human input, AI can analyze the content of millions of documents and extract information like the emotional sentiment of a communication, the people and organizations mentioned or the social network connections among key players. Legal and compliance teams can use patterns identified by the system to point the way toward smarter search techniques that yield rich results. For example, unusual spikes in communication after business hours or with external parties could reveal inappropriate conduct. Or review could focus on documents with high negative sentiment or fraud signals that the system identified automatically. Visualizing the social network to see who is interacting with whom can also guide the direction of an investigation.

Compliance teams can also use machine learning to prioritize relevant documents and avoid review of irrelevant data. As a person indicates which documents are relevant, the system learns from this input and classifies the rest of the dataset for relevance, building a model tailored to the issues of the investigation. The system continually refines and adjusts the algorithm in response to reviewers’ input, and the most relevant documents are prioritized first. Review efforts can focus on higher-level analysis instead of spending time shuffling through an unnecessarily large number of documents.

Another effective approach is to use pre-trained models to classify the data. Pre-trained models are algorithms that have been configured for specific purposes. For example, a model for gifts and entertainment kickbacks may be useful for certain investigations; perhaps a model for pricing and fees is more effective in another scenario. Another example identifies communications with competitors that may show an implicit or explicit agreement. Pre-trained models can identify documents related to those topics without any human input, and they can be further adjusted and customized to fit the specific needs of an investigation.

As the volume of business communications continues to increase with no end in sight, AI is a critical component to a data-driven compliance initiative. Advanced technologies empower compliance officers to be proactive rather than reactive, finding potential problems quickly and mitigating risk to the business.

Artificial Intelligence + Human Intelligence = Genuine Intelligence and Comprehensive Compliance

An experienced team of compliance, e-discovery and subject matter experts can use AI to gain insight into elusive or unpredictable activity that threatens an organization and that may otherwise have been undetectable. Meeting DOJ’s expectations does not mean that organizations must constantly take on comprehensive compliance reviews. Taking a tailored, data-driven compliance approach will allow organizations to review their risk on a regular basis in a precise and efficient manner. When done in partnership with the right team, organizations can do so while protecting privilege and managing a full array of legal and reputational risks. This approach, when coupled with more periodic and comprehensive reviews of policies and procedures, can substantially decrease compliance risk and directly addresses DOJ’s requirements for an effective compliance program.