Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Compliance in the 21st Century: Welcome to ComTech

Tom Fox | June 20, 2017

What will be the role of Artificial Intelligence (AI) in compliance going forward? In the legal services world, LawTech stands for the ongoing revolution of the legal profession and legal processes move into the 21st century, just as FinTech portended changes in the financial services industries. Using these two disparate, yet related developments as a guide, I see ComTech lurking just down the road. 

A clear example where ComTech comes into play is large-document review. There are many companies that provide keyword searches, and these same concepts translate readily into the compliance world through massive database searches for keywords, such as an ongoing e-mail review through e-mail sweeps. The concept is straightforward; at regular intervals, you sweep through your company e-mail database for identified keywords that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance, but any of the risk factors identified for your company. 

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. If warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently. 

Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals, those subject to OFAC and other sanctions, and other nefarious actors will use non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach. 

This is even more true when it comes to the reputational damage a company can sustain from dong what might even be considered routine business. Goldman Sachs’ $2.8 billion purchase of Venezuelan bonds earlier this year was widely criticized for helping to prop up an anti-democratic regime. For Goldman’s front-line personnel, it was apparently a routine transaction, purchasing the country’s bonds at pennies on the dollar. Yet the blowback has cost the firm far more than any monetary profit it stands to make years down the road. The same scenario is true in a non-financial services entity.

While the Socratic method is an excellent training tool to become a law school professor, it does not train students to be compliance practitioners in the 21st-century compliance profession.

Another area where compliance is often left behind is in the arena of mergers and acquisitions. Since the 2012 FCPA Guidance, M&C compliance has focused increasingly on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence, or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are tech companies that provide software that allows thousands of documents to be reviewed in the M&A context. 

In the M&A context for compliance, such a review could include such issues as whether third-party sales representatives have the requisite background due diligence in the files, their status, and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel, and entertainment analysis. Finally, you could consider sales in high-risk regions or even sales spikes from low-risk areas from the compliance perspective. 

A prime example of where AI can assist the compliance function is with third parties in the supply chain arena. Multinationals can have thousands of vendors, each of whom can present a third-party compliance risk. Getting a handle on those is always a challenge simply because of the numbers involved. Through the use of AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance, or other risks to an organization—once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise. 

Another set of AI tools can review contracts to see if any specific types of clauses are non-standard. It is a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third-party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so, I can personally corroborate again to the greater efficiencies a ComTech solution can bring to such an assignment. 

This final example also points to the limitations of AI. While it might have helped to have AI review all my former employer’s JV agreements and third-party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the aforementioned agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies. 

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. A review of his recent book, “Deep Thinking: Where Artificial Intelligence Ends and Human Creativity Begins,” noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.”

All of this means tomorrow’s compliance practitioner will need more and varied skills than those which are currently taught. As many compliance practitioners have come to the profession from a legal background, this will be even more so given the paucity of corporate skills taught in the modern law school. While the Socratic method is an excellent training tool to become a law school professor, it does not train students to be compliance practitioners in the 21st-century compliance profession. Disparate disciplines such as project management, design thinking, and process improve are all mandatory skills for the compliance practitioner going forward. 

There have always been technological innovations which help make corporate disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Put another way, if disruption hits the legal world through LawTech, disruption is not far behind in the compliance world through ComTech. You had better be ready.