AlixPartner's Vineet Seghal and David Waterfield discuss the need for a consistent but customized scope and approach to global investigations. Their remarks have been edited for length and style.
CCBJ: With regards to cross-border and global investigations, how do you mitigate data privacy issues?
Vineet Sehgal: The information we are working with typically dictates our approach to data privacy. For example, if an investigation is related to a financial institution, the data can be protected by consumer and banking privacy laws. That might sound straightforward, but it isn’t. Investigations may include branches of a financial institution in different jurisdictions, each of which may have its own data privacy rules. We work with complex and voluminous data sets, and to run an efficient investigation, the ideal standard is to centralize all this information in one specific location. If that is not possible, there are other options. We have certified and secure data centers in key locations around the globe, and we can set up stand-alone, air gap infrastructures at the client site.
In situations where you have disparate data sets residing in different countries and you cannot
transfer the data, how do you collate and/or centralize data into an analysis tool for cross-referencing?
Sehgal: Our first option is to use one of our secure data centers within these jurisdictions. If that is not viable, we typically implement secure stand-alone networks, usually at the client site, within the jurisdictions themselves. The data will be processed, separately, in each of these locations. Although we may not be able to extract granular information, which contains personally identifiable information protected by data privacy, we could extract summarized information. The underlying transactional-level data will reside within the stand-alone networks implemented in the various jurisdictions, but we may be able to extract summary-level reports and analyses. Alternatively, data can be anonymized to remove personally identifiable information.
David Waterfield: There are approaches that help you ensure you are essentially redacting particular attributes within your data set and thus complying with the data privacy laws. But there are challenges. We had one occasion in Germany where we had to review the data and remove any information that pertained to individuals before we could move the data to the U.S. Having to review and analyze vast data stores to look for personal information can get challenging. This information can be contained in fields that you wouldn’t expect, such as comment fields or even user ID fields, and therefore personally identifiable information can be hidden in what might be considered transactional data. You need a sound and robust methodology to ensure appropriate redaction and compliance with stringent data privacy laws.
What are some other technological compliance issues you have faced?
Waterfield: The multinational corporations and financial institutions we work with have often grown through significant mergers and acquisitions. The level of complexity we face largely depends on how far along our client is in harmonizing its compliance technology landscape. We often find that, for instance, the U.S. subsidiary will deploy a certain piece of third-party compliance monitoring software, but the European subsidiary is working with a different version or has a completely different piece of software. From our perspective, one of the main compliance technology challenges in global investigations is that you often have to become the master of not one but several different compliance technology tools. If you are performing a historical investigation, understanding how the compliance technology landscape may have changed over time – and the materiality of these changes as it pertains to the investigation – is critical.
Sehgal: When global financial institutions grow through mergers and acquisitions, their data is spread across a diverse data landscape. There may also be legacy data components. At the inception of the engagement, we identify the relevant systems and undertake a knowledge acquisition process to understand how the systems connect and function within these institutions. This serves as the foundation upon which we build our data extraction, centralization and other key methodologies.
What emerging technologies are impacting this space?
Sehgal: In the compliance area, there are new technologies that financial institutions are using to screen relevant transactions against various compliance programs to ensure they are not violating, for example, any sanctions. These tools flag transactions that may violate sanctions, but reviewers need to analyze these alerts to determine if there really is a potential violation or whether the alerts are false positives. It’s not unusual for these sanctions screening tools to be very sensitive, and we have observed an extremely high rate of transactions being flagged. Although these technologies are monitoring transactions for potentially illicit activity, they also generate numerous false positives, and reviewing and disposing of these false positives places a major burden on the financial institutions. Some of these large financial institutions employ hundreds of consultants with the sole purpose of reviewing, clearing or escalating alerts. Artificial intelligence, machine learning and other efficiencies that can either reduce the false positives or clear them in a more expedited way are of interest. However, as these technologies mature, so do their complexities. Understanding how they work and making sure they are implemented correctly will be critical.
Waterfield: There is likely to be a great deal of value to applying more sophisticated tool sets, including machine learning, so that incidents like very high false-positive detection rates can be addressed and reduce the need for manual intervention. The flip side will be future investigations related to sophisticated compliance technology tools that have machine learning components. This will raise an interesting question of how the tool was “trained” and configured and how the bank, or the compliance team within the bank, can defend it. For instance, whether the compliance team actually set the parameters with a full understanding of how the compliance technology is working will be a very interesting topic for future investigations, and it’s one that banks should be thinking about as they deploy these technologies.
There are other new technologies that we use. When the data set is large but not too large, then SQL-based databases have the necessary scale and flexibility. Other technologies are being driven by huge data volumes, such as those you might associate with high-frequency trading or records generated by high-traffic websites. Conventional hardware infrastructures and analysis tools such as SQL-based databases cannot deal with these volumes of data, so cloud-based services that allow you access to unlimited storage and processing power will become the de facto tool set for highdata-volume investigations.
Other tools, like Python, can be very flexible if you have to deal with semi-structured data and need to do some pre-processing. We have some examples where the compliance tool – because it produces so much data – wasn’t storing historical screening results in the actual database. These were being “printed” out into text reports that were then stored on a file server. We had to pre-process huge amounts of data, using Python, and then get that data back into a fully structured format so that we could ingest it into a database and interrogate it.
Top Four Areas for Focus
- Understand the technology landscape. If there’s been a merger or acquisition, you need to understand the newly combined systems, the data stored within them, and how to get to your answer by transforming the relevant information quickly and efficiently.
- Understand the relevant data privacy regulations. These can influence what analysis infrastructure you need, how you will deploy it, and the timelines of the engagement.
- Understand the compliance regulations of the various stakeholders: What constitutes a violation?
- Maintain “consistency with customization.” With a global investigation, you’ll need a consistent scope and approach, which you may then need to adjust due to the realities on the ground.
Vineet Sehgal is a managing director at AlixPartners’ New York office. He has extensive experience leading technology teams in litigation consulting, auditing and accounting matters, and financial and regulatory investigations. Sehgal effectively communicates between cross-functional departments and has led engagements involving multiple government agencies. He can be reached at [email protected].
David Waterfield is a director at AlixPartners’ London office. He is an experienced financial services and data analytics consultant who works with clients on their highest-profile regulatory and legal challenges by taking a forensic, data-centric approach to drive an efficient and defensible approach to matters. He has also undertaken major projects in the energy, media and public sector areas. He can be reached at [email protected].
Published January 11, 2018.
