It’s been just over a year since the DOJ launched a pilot program designed primarily to motivate companies to voluntarily self-disclose misconduct related to the Foreign Corrupt Practices Act. The program was set to expire after 12 months, but in April it was extended for a second term.
To encourage voluntary self-disclosure, the program offers significant reductions in penalties for those who cooperate with investigations, and even greater reductions for those that discover on their own activities that may run afoul of the act and self-disclose. A cursory review of DOJ’s public announcements regarding declinations of prosecution during the past year shows a deliberate effort to broadcast the benefits of cooperation and the resulting reduced penalties. In each, DOJ repeatedly cites voluntary disclosures and cooperation as primary reasons for leniency.
In order to be in a position to self-disclose, however, companies must have a compliance program that is robust enough to identify potential violations well before they fall under government scrutiny. At the core of any such program is data analytics.
Most modern compliance programs are already leveraging some form of data analytics. Most often the data, metrics and other objective evidence is used in a defensive posture to demonstrate that the compliance program is working effectively. However, to catch the carrot DOJ is dangling, companies must expand these efforts to identify potential violations very early in their lifecycles.
This is also made clear in the DOJ’s guidance regarding risk assessments. The guidance says that companies must proactively collect data and metrics to help proactively detect potential misconduct as part of their routine information-gathering and audit activities. In other words, a company’s monitoring, internal-control testing and auditing should collect and analyze data in an effort to identify red flags.
Unfortunately, most global companies that are at risk have mountains of data to sift through. The only way they can root out potential misconduct is to custom-tailor analytical procedures so that they can locate the anomalous signals in all the daily noise. Finally, the fact that enforcement agencies themselves, such as DOJ, the SEC and FINRA, have all instituted their own data analytics programs evidences the need to stay ahead of the curve.
Looking to recent enforcement actions gives a good indication as to how these programs might be tailored. For example, a recent $3.9 million settlement exposed a scheme in which a global account manager was offering software packages to his resellers at a significant discount. The resellers, in turn, were selling the packages to end purchasers at larger-than-normal mark-ups. This allowed them to create a slush fund of excess revenue that was used to pay bribes in exchange for future government sales contracts.
To monitor for such activity, compliance programs can analyze the baseline of discounts offered to all vendors and use data analysis to flag anomalies that deviate from the established norm. A similar approach might also consider inflated or unearned sales commissions. Fully understanding and evaluating data points around the activities of sales consultants also allows the compliance team to identify potential relationships that may not have a clear business purpose.
Inflated or fictitious sales commissions or bonuses, which are then used to pay bribes, often come up in enforcement efforts. Here again, analysis of payments and compensation data can be used to uncover those above the normal baseline or at odd times of the year. Similar analysis of expenses and gifts can help flag travel to unusual locations and payments to unintended beneficiaries. These are also common schemes.
Although these examples are demonstrative, using data analytics to support proactive compliance programs is not one-size-fits-all. To be effective, the use of analytics in the compliance realm must rely upon both a full understanding of data analysis methods and a deep knowledge of the business and its routine activities.
David White is a director at AlixPartners, where he advises clients on information governance, information security and electronic discovery. He can be reached at firstname.lastname@example.org.
Published August 28, 2017.