Many a compliance officer has said one of the biggest challenges they face is that they don’t know what they don’t know, a fear traditionally heightened by not having enough visibility into the overall operations of the business. But in a digital age, most the answers are there, buried in an ocean of data, waiting to be discovered.

Once unearthed, that data—the holy grail of compliance—must be deciphered if it’s to unlock any true value. That, in essence, is compliance analytics: It’s the process of gathering all the data the company holds (and even data that it does not hold) and analyzing it using statistical algorithms to mine for patterns and anomalies to uncover things like fraud, policy violations, and other misconduct.

“Compliance analytics is about using data to derive insights from a compliance perspective,” says Seth Rosensweig, a partner at PwC and head of its digital risk, regulatory, and compliance practice.

Compliance analytics Q&A

 

Compliance Week caught up with Alan Gibson, assistant general counsel at Microsoft, who shared how the $108 billion multinational technology company is using compliance analytics in its own global operations.

Alan Gibson

Alan Gibson

 

 In what ways does compliance analytics help Microsoft proactively stay ahead of compliance risks?

 

Microsoft is using data analytics to create an early warning and monitoring system for a set of compliance risks.  Microsoft has implemented an integrated program to provide prioritized, risk-based analytics.  The analytics create “actionable insights,” which after training and establishing clear R&Rs and accountabilities with stakeholders, manage and reduce compliance risks across the “three lines of defense.”

 

What type of data does Microsoft gather to proactively cast a wider net over compliance risks?

 

Taking a “prioritized, risk-based” approach, Microsoft started with its corruption risk. We wanted to identify our highest risk deals to allow us to provide additional compliance oversight.  For our “High Risk Deal Solution,” we pull data from a variety of internal systems: SAP, CRM/sales quote system, plus other Microsoft internal data involving discounting, deal approvals, credit, channel partners, market development funds, and geo-risk assessments.

 

We then apply a specific algorithm to deal-related data to identify the deals that create the most corruption risk for Microsoft.

 

How does Microsoft then translate data into actionable insight?

 

If the algorithm identifies a deal as “high risk,” it is routed for additional compliance oversight.  We ask compliance professionals to review the specific data attributes that drive the high-risk score (e.g., if the discount trend attribute is driving the high-risk score, we guide the compliance professional through the review by describing what information to review, how to review it, how to identify an issue, and what to do when a potential issue is identified).

 

What advice would you offer other compliance functions as they look to establish a robust compliance analytics program?

 

Solve for a clear/defined risk. Solving for a specific and well-understood risk will allow you to test your hypothesis in a functioning proof of concept and quickly deliver value to the user community and leadership, all the while building momentum for further growth and expansion. Avoid solving for broad and vague risks such as “fraud,” instead focusing your efforts on a narrow, specific goal in terms of type of deal, customer, and area.

 

Start with a “manageable” data set. Consider data availability and its ease of access when electing a starting point. Look for data sets that will illuminate the risk you’re trying to solve, have untapped intersection points, or are naturally interconnected. Avoid difficult and time-consuming endeavors to restructure or stitch disparate and unrelated data sets together early in the program.

 

Leverage the user community. Engage resources from the user community (e.g., the compliance community) early and often to help with requirements, provide real-world experience and insights, and be change champions. This will build excitement and buy-in before launch, increase analytic adoption post launch, and ensure overall program success and longevity. Ultimately, if the users don’t find the analytic meets their needs, they won’t use it.

Depending on where a company is along the analytics maturity spectrum, Rosensweig explains, compliance analytics can be used to derive insights for a variety of purposes, including:

  • Descriptive analytics: What happened in a given situation?
  • Diagnostic analytics: Why did it happen?
  • Predictive analytics: What could happen?
  • Prescriptive analytics: What is the best course of action for a given situation? What can the business do to improve?

Unlike a risk assessment, which intrinsically is backward-thinking, data analytics effectively enables compliance, risk, and audit professionals to proactively detect and continuously monitor potential issues in real time. Without the benefit of today’s advanced analytics tools, the visibility that compliance, risk, and audit functions has into the company’s operations is limited by whatever sample, periodic risk-based testing or risk-based audit activities the company conducts manually.

“Dealing with a huge amount of data traditionally was a very laborious activity for compliance functions,” says Shaheen Dil, managing director and global solution leader for data management and advanced analytics at Protiviti.

Manually sifting through data also leaves the door open for misconduct or a policy violation to go undetected—a very real concern for a global financial institution, for example, that typically has dozens of lines of business, has millions of customers, and manages billions of records. Merely taking a risk-based sample of data doesn’t satisfy regulators, Dil says, because it raises the question, “How do you know you’ve picked a comprehensive data sample? How do you know this sample covers all your potential risks?”

Dil cites as an example her former experience as an executive at PNC Financial Services Group, where “we spent half our time explaining to regulators—in those days, before advanced analytics tools were used—why our risk-adjusted sampling methods were, in fact, accurate and covered most of our risks,” she says.

That’s all changed with the use of advanced analytics tools, in which machines can now sift through all data, so that compliance, risk, and audit professionals are no longer limited to analyzing structured data alone—such as spreadsheets and database records. “Organizations historically didn’t have the tools and techniques, and even the know-how, to mine, understand, and do something with unstructured data,” Rosensweig says.

Advanced analytics, like artificial intelligence (AI) and machine learning technologies, are opening compliance functions up to new and exciting opportunities. Unstructured data—social media, text messages, e-mail, contracts, and more—can now be consolidated, along with structured data and analyzed together to identify patterns and anomalies that may go undetected by the human eye.

Getting started

Companies interested in the idea of compliance analytics for testing and monitoring but that don’t know where to begin should consider the following as stepping stones:

Don’t try to boil the data ocean. Compliance and audit functions should carefully think through how to incorporate and leverage the use of analytics into their end-to-end business processes, says Mike Maali, U.S. internal audit, compliance and risk management solutions leader at PwC. Often, companies that want to delve into compliance analytics begin identifying individual use case opportunities for deploying analytics and start mining the data without having a clear roadmap on how to leverage it more holistically, he says.

Begin by solving for a clear, well-defined risk or goal. In the banking industry, for example, AI and machine learning can help banks more accurately and quickly verify the identity of clients through automated know-your-customer-procedures. Credit Suisse shared how it’s using a new technology platform that has helped identify and verify its international clients 80 percent faster than the year prior.

Credit Suisse is also able to assess “politically exposed persons” (PEPs) approximately 60 percent faster, at approximately 40 percent lower costs. “Over the past two years we have gone from a human-led approach to compliance, where we were carrying out periodic checks, to a technology-led approach in which we are continuously monitoring activities across the bank to enable earlier prevention and detection,” Lara Warner, head of the compliance and regulatory affairs unit at Credit Suisse, said in a blog post.

To cite another example in the financial services industry, data analytics can be used to monitor the activity of bank accounts opened by employees. Employees who have hit their sales targets by opening an excessive amount of customer accounts with no activity can be flagged for review.

In the pharmaceutical industry, where opioid use is a big compliance risk right now, data analytics can be used to uncover patterns of potential fraud or abuse. Such red flags in the data may include, for example, the number of doctors visited; the geography and patient population; and the frequency of drugs prescribed.

And in the retail industry, transactions involving what the company considers “high-risk” distributors or resellers can be analyzed to check against whether a third party in the supply chain is doing business with unauthorized or unapproved suppliers in a high-risk market.

These are just a few examples of the ways targeted data analytics for compliance purposes can be used across a variety of industries.

Establish data governance controls around data usage. Proper data governance is about enforcing through policies and procedures the management of data assets and the performance of data functions. Data governance should identify who is responsible for what data, who has access to the data, and what type of access is allowed.

A data dictionary is another important component of the data governance process. A data dictionary describes how to store and manage data and, thus, plays a central role in maintaining the accuracy, reliability, and integrity of the data, which is especially important when reporting to regulators.

Get a grip on data lineage. Data lineage is the lifecycle of data. It’s the art of tracking the company’s internal and external data, including its origin, where it moves, and how the data changes as it moves across servers and from module to module—from accounts payable to the general ledger, for example. So long as the business has a firm grasp on its data governance and data lineage, it can start to use the data in more advanced ways—such as getting into predictive risk modeling.

Put together a team of experts. Compliance analytics is intended to enhance—not replace—human intelligence. Those in the business must still translate what the data means relative to the risks that the business faces and how the data can be used to achieve future business goals.

Data stewards are a must. These individuals do not necessarily have the title of “data steward,” but they are the individuals in each business unit who know what data is available, where it’s located, and how it’s being stored. “You are starting to see a move toward the creation of these data teams,” says Tom Nicolosi, a principal in the Deloitte Risk and Financial Advisory practice.

On that data team also needs to be heads from compliance, risk, internal audit, and IT who can interpret the results. “You need to make sure that you have those appropriate pieces represented at the table when trying to design what it is that you want to do, and how you want to do it,” PwC’s Maali says.

Regulators and analytics

Increased interest in the adoption of compliance analytics by companies comes at a time when government agencies are starting to pay a lot more attention to it as well. “Regulators, in general, have become extremely fascinated and extremely interested in this whole set of processes around data analytics,” Nicolosi says.

Certain regulatory bodies are even deploying data analytics in performing their examinations. The Financial Industry Regulatory Authority (FINRA), for example, uses advanced analytics to monitor trading in U.S. equities markets. “To do our job of protecting investors and ensuring market integrity, it’s important that we are on top of each day’s activity, applying our automated surveillance patterns to help our analysts look for potentially suspicious activity—instead of running to catch up,” wrote Steve Randich, executive vice president and chief information officer at FINRA.

In a second example, the Securities and Exchange Commission in July used its data analytics capabilities to uncover insider trading by an executive, resulting in an enforcement action. “It certainly would be leading practice for organizations to make sure they are doing the same sorts of things, if not more, than regulatory agencies are doing today,” Nicolosi says.