On February 8, the Department of Justice published its “Evaluation of Corporate Compliance Programs” to guide attorneys and corporate compliance officers during criminal fraud investigations. The guidance is designed to provide more transparency about U.S. prosecutors’ review of compliance programs under the “Filip Factors” to help them understand the role of corporate compliance in the misconduct. (This is the DOJ’s first formal guidance under the new presidential administration, and marks the latest effort by the DOJ’s compliance initiative which launched in November 2015 with the hiring of compliance counsel Hui Chen.)
The new guidance offers more express, practical examples of how federal prosecutors may investigate a company’s compliance program under the Filip Factors. In particular, two factors stand out as specific operational areas that can benefit from an analytics-based approach for more sustainable compliance:
- Factor #1. Analysis and Remediation of Underlying Misconduct. This factor asks questions about prior indications: how did the company let it get this far? “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues?”
- Factor #9. Continuous Improvement, Periodic Testing and Review. The factor explores control testing — or the lack thereof. “Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties?”
The problem with how many companies operationalize both factors is the traditional audit. Many companies attempt to manage compliance using Enterprise Risk Management (ERM) frameworks. Compliance officers introduce policies and procedures, establish internal controls, and create guidelines for audits, internal investigations, monitoring of complaints and employees training. Historically, this approach targets structured enterprise applications—even though evidence of non-compliance risk increasingly lurks in undetected sources of employee communications including email, IM and chat, and social media. Since traditional auditing software does not target these types of files, risk goes undiscovered until it’s too late.
Operationalizing Filip Factors in the Modern Age
A more sustainable compliance approach targets unstructured files and communications, based on specific areas of concern, using a big data approach combined with human expertise. The analytics itself is capable of consolidating billions of documents across electronically stored information, uses basic and advanced analytics to search datasets and identify suspicious patterns in electronic communications, and applies machine learning and human judgments across multiple matters.
Let’s take a closer look at how a big data analytics approach can help expedite regulatory inquiries and monitor electronic communications to proactively identify risk.
Factor #1. Analysis and Remediation of Underlying Misconduct.
When there is a compliance failure, federal prosecutors will ask many questions about the compliance function in the face of misconduct: What happened? What failed? Did the company try to fix it?
Answering these questions using traditional review can take months or years–time that investigators are not likely to grant, and that cost a lot to the organization. By taking a big data analytics approach for a look back review, compliance teams and their legal counterparts can quickly identify potential areas of non-compliance by paring down hundreds of millions or more of documents to a small subset of relevant data warranting review (often less than 1% of the starting population), while eliminating costly manual review and error-prone processes.
One U.S. bank took this approach in response to a Matter Requiring Attention related to Servicemember Civil Relief Act compliance, and reduced project costs by 50% and time-to-completion by 18 months.
Factor #9. Continuous Improvement, Periodic Testing and Review.
Factor #9 asks companies: How will you continuously improve compliance so you’ll spot future misconduct? How will you prove it?
Using a big data approach to monitor unstructured data, companies can attain actionable insights into email, chat and other server-based communications to catch and address high-risk issues at the formative stage, targeting clear indicators of risky behavior, non-compliance or malfeasance based on areas of specific concern. For issues of less immediate concern, compliance monitoring can deliver actionable insights into data on a periodic basis with deep analysis of a broad range of compliance issues that require a complex and extensive search—such as a highly technical issue or areas that require unique industry knowledge, such as pharma compliance —across multiple communication and data stores. This approach produces defensible and actionable reports to compliance and legal officers, who can address possible misconduct before it becomes a serious problem.
Since corporate misconduct is serious enough to warrant a federal investigation, then it’s serious enough for corporate compliance to consider augmenting their traditional ERM approach with an analytics-based one.