Ask a CCO: How to meet data analytics expectations of both board and regulators

Q1. How is your company using data analytics to evaluate compliance?

ROB CLARK: Data analytics has long been a staple within our compliance framework. We are implementing a new ERP which will further enable management and the compliance office to analyze transactional data and quickly highlight and investigate anomalies.

MARK CONSTABLE: I think the key to a strong compliance management program and a good relationship with federal and state regulators is a focus on self-identification and self-correcting potential deficiencies in processes or procedures. I never want a regulator to tell me something I don’t already know. Using data analytics for Community Reinvestment Act, by way of example, allows us to statistically analyze our HMDA and small business loan data to ensure we are meeting the credit needs of our community and assessment area. The analysis tells us the impact of our lending program on low-to-moderate-income families and minority groups. Data analytics along all business lines within the financial institution provides the essential details for us to evaluate the effectiveness of our compliance program and proactively seek solutions or improvements if necessary.

LUIS KOLSTER: Evaluating the effectiveness of a compliance program is an ongoing process that includes ensuring that the program is in line with all regulatory requirements and expectations, as well as making sure the company’s policies and procedures are properly designed and are being implemented accordingly. We can use data analytics tools to identify potential failures in the implementation of existing controls. Identifying issues in the execution of a process in real time would allow us to implement corrective actions immediately. We are constantly reviewing our compliance program to incorporate new ways to improve and evolve with the business.

KAREN MOORE: Like so many compliance programs, ours is rooted first and foremost in risk assessment and mitigation efforts. Those have traditionally been focused on the type of roll-up-your-sleeve efforts which have not heavily relied on data. Nevertheless, we are already increasing our use of analytics, not only to pinpoint more precisely what efforts will achieve the greatest results, but also to venture into the predictive space to anticipate and control for emergent risks. The challenge isn’t the absence of data so much as it is to import skills sets into the compliance department to interpret what we already have access to. Rather than looking at the data in silos, we need to find ways to connect the dots to provide a more sophisticated view on risk and program effectiveness. We are planning to leverage internal resources in our data management teams to assist us in setting up better systems. Going forward, I anticipate compliance offices will increasingly look to add data analytic capability to their teams full-time.

CARI REED: We’re using data to inform us where we may have opportunity to reinforce compliance standards and to signal where there are emerging risks based on patterns and trends from matters we are handling. Data we capture also gives us a sense of whether what we are doing is effective and if we are focused on the right things. Surveying employees to get feedback on what’s working well and topics they want to hear more on is also something we do. We monitor specific elements like the volume and types of compliance events that are reported, company location, and investigation outcomes. We also track how concerns are brought forward—direct report to compliance team or our anonymous hotline—and where we need to focus, from training, communication, auditing, and monitoring, to opportunities to partner with other functions.

CHARLOTTE YOUNG: To name a few, we conduct many surveys, track clicks, track investigations and reports, and keep apprised of global trends outside of the company to inform our risk-based program. 

Q2. What do regulators expect from your company’s compliance data analytics?

ROB CLARK: Given that our university has a robust research enterprise as well as a teaching hospital, our regulators are expecting more robust use of data analytics to enhance compliance oversight and monitoring. Given the Department of Justice’s push to increase the use of data analytics to proactively detect and analyze fraud, abuse, and misconduct before they become endemic, we are expanding our compliance office resources to add more staffing and tools to facilitate this. We will also be including reports of these initiatives and findings as part of our regular reporting to our executive leadership and board of trustees.

MARK CONSTABLE: The product of data analytics is only as good as the data integrity of the information it is analyzing. Regulators expect that we are quality controlling the accuracy and integrity of the information we are running through our data analytics programs. Regulators’ expectations are not just that we are looking at data to evaluate fair lending or redlining—the expectation is that we are looking at the correct data. Thorough and complete knowledge of underlying regulations in any area is the start of deciding exactly what we will be analyzing for data and why. Communicating this solid understanding with regulators, and in turn appropriately allocating resources to ensure both data integrity and data analysis, is essential to any compliance program and use of analytics.

LUIS KOLSTER: I think the regulatory expectations evolve with technology. As more sophisticated ways to analyze data become available, companies are expected to adopt them in different areas, and compliance is not an exception. Managing a compliance program cannot be a static exercise; chief compliance officers should be agile, move at the same speed of the business, and not only adapt to but fully embrace technology as an enabler to continuously improve and enhance how they implement the key elements of an effective compliance program in their organizations.

KAREN MOORE: Aside from isolated reporting requirements, such as carbon emissions in the United States or a host of statutory reporting requirements in some jurisdictions (most notably, India), we do not have complex mandatory analytic reporting. We are, however, guided by the views of regulators, such as the U.S. Department of Justice and the European Data Protection Board to understand what type of data we should be looking at to mature our program. My sense is that data analytics will be increasingly important should a company be in a position where it needs to explain or defend its compliance program.

CARI REED: Regulators would expect that we are not only identifying trends and patterns to detect potential compliance issues but also working effectively to address and prevent them. Regardless the industry we work in, compliance officers need to demonstrate the effectiveness of the programs we lead and show we are actively monitoring for risks, looking for opportunities to improve, and adjusting the work that is done in response to what our companies are facing. Regulators want to see that we are taking actions and making improvements in partnership with other key leaders. The data we keep should help us tell that story.