Problem
The June 2020 update to the U.S. Department of Justice (DOJ) Evaluation of Corporate Compliance Programs guidance (2020 Guidance) emphasized that corporate compliance programs must be updated to be capable of delivering actionable risk insights on an ongoing basis. The 2020 Guidance specifically notes that companies should focus their resources on high-risk transactions.
“Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.” U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated June 2020)
Traditional auditing and monitoring efforts for identifying high-risk transactions are manual and control-focused and tend to generate too many items to review. The same transaction may be sampled multiple times if it appears in results from different tests. This approach is often inefficient and ineffective, failing to connect the dots between numerous risk indicators for a specific transaction and delaying the detection of high-risk transactions.
The 2020 Guidance further asks if an organization’s assessment of risk is static or dynamic.
“Is the periodic review limited to a 'snapshot' in time or based upon continuous access to operational data and information across functions?”
There often is a significant delay until issues are detected. A certain country, for example, might come up in audits once every 3-5 years, and even then, the sample selected may not adequately assess the risk.
The DOJ has now made it clear that they expect immediate detection of non-compliance. In May 2022, Assistant Attorney General Kenneth Polite, a former in-house Chief Compliance Officer himself, stated:
“I want to know whether you are doing everything you can to ensure that when an individual employee is facing that singular ethical challenge, he has been informed, he has been trained, and he has been empowered to choose right over wrong. Or, if he makes the wrong choice, you have a system that immediately detects, remediates, disciplines, and then adapts to ensure that no others follow suit (emphasis added).”
First-generation approaches of periodic, sample-based auditing and testing are clearly insufficient.
Solution
Early detection of high-risk transactions with compliance monitoring using data analytics can address these new enforcement agency standards. As it relates to risks such as fraud, bribery, conflicts of interest, sanctions, and asset misappropriation, that means continuous monitoring of financial transactions (e.g., vendor invoices, distributor credit notes, and employee expenses), with risk scoring of those transactions to detect the highest risk transactions.
Transaction monitoring prioritizes your efforts within the monitoring of spend and revenue data by displaying the full context of the transaction and its risk results together so that you can focus on the risk of a transaction holistically.
Since the risk score is calculated at an aggregated level across multiple analytics, compliance professionals can prioritize transactions for review based on the company's risk profile.
A program capable of automatically aggregating risk scores quickly detects suspicious transactions that may otherwise go uncovered and ensures that compliance experts can focus attention and resources on the highest-risk transactions.
Results
Organizations are able to quickly detect high-risk transactions before bad actors repeat the same practice or increase the amounts of money misappropriated from the company or used to fund non-compliance. By doing so, transaction monitoring can prevent non-compliance from becoming systemic and meet regulator expectations for immediate detection and remediation while avoiding fines and reputational damage. Compliance programs also benefit from continuous improvement as companies use their findings to adjust further monitoring, internal controls, policies, and training, reinforcing a culture of compliance across the business. And risk management becomes a dynamic and ongoing process rather than a “snapshot” process.