Why Some Compliance Processes Are Going 'On-Demand'

Companies have long sought to automate transaction monitoring, yet setting up a comprehensive process can be expensive and daunting, taking several months and often needing lots of tweaks and fixes. Now some are finding what could be a simpler way: the on-demand model.

Not only can transaction monitoring help companies spot fraud in the early stages, before it grows into an expensive ordeal, but it can help earn credit with enforcement regulators when a problem does arise. Transaction monitoring, for example, can help companies win deferred prosecution agreements, going by Justice Department rulings. In deferred-prosecution agreements involving Foreign Corrupt Practices Act violations at both Weatherford International and Diebold, the companies promised the Justice Department they would step up prevention and detection efforts.

The traditional method of sampling transactions for audit has not historically proven as effective as ongoing monitoring or periodic audits of complete data sets. Whatever the Justice Department requires, “There's no way for humans to take a look at all these numbers” without automated transaction monitoring, said Tom Fox, an independent FCPA compliance consultant and lawyer who writes the FCPA Compliance and Ethics Blog.

Some companies are pursuing on-demand models through a vendor that allow them to plug in inexpensive solutions and use as much or as little as they want, or as frequently as they want. They also let them dip a toe into the waters of transaction monitoring without first making a hefty up-front investment.

Oversight Systems, for example, announced an on-demand “pay-as-you-go” Web-based solution for travel-and-expense monitoring last month. Part of its “Insights on Demand” suite, the T&E FCPA/Anti-bribery and Corruption Risk module monitors T&E transactions for possible bribery and corruption and provides recommended actions.

Moreover, the solution is designed for business users versus data scientists, with implementation times of less than a week and a starting price of $1,995. “It took a while to figure out how to do this without charging high six figures,” said Oversight CEO Patrick Taylor. “There's not a lot of compliance departments that have the high six figures to do this, or Morgan Stanley's 1,400-person compliance department,” he says. Another benefit is that the on-demand model lets companies do a ‘test-drive' analysis of their transactions to determine if the analysis is meaningful or valuable.

On-Demand in Its Infancy

“The market is responding to the need,” said Fox. He expects other vendors to follow suit quickly.

John Wheeler, Gartner's research director of risk and security management programs, doesn't think it will take long either. “The enterprise GRC market [is] still focused primarily on providing the single-platform solution for very large enterprises. But we've seen in the last year or so new demands from the end users [which is] going to start to turn the ship toward on-demand, probably more in point solutions,” ones that lend themselves to periodic use. But, he adds, “We just haven't seen a whole lot of that yet.”

True, “The market for on-demand compliance solutions is not yet even in the early adoption stage,” said Joe Oringel, managing director of Visual Risk IQ, a risk advisory firm specializing in audit data analytics. He says they are likely to become more common as other vendors offer solutions and companies scramble to prove their diligence to regulators. “If I identified all the Fortune 1,000 companies doing continuous monitoring, it's a small number.” Some companies are motivated to implement automated monitoring as part of a deferred-prosecution agreement, but others are becoming increasingly proactive, looking to prevent or detect bribery and corruption early.

“A bigger hurdle for automated compliance monitoring may be the fear of finding an issue that would otherwise be overlooked [with] sample testing.”

—Joe Oringel,

Managing Director,

Visual Risk IQ

That would seem to build a case for continuous versus on-demand monitoring, says Ross Paul, a vice president at ACL, which provides audit analytics and continuous monitoring software. “The occasional audit isn't the same thing as doing proactive risk management,” he says. ACL's family of products includes cloud-based GRC solutions, continuous transaction monitoring among them. “We know that if we work with the customer on a population of data that potentially contains risks, we invariably find significant savings or risks that could be better managed and that obviously helps build a business case for doing that on a more continuous basis.”

If the on-demand GRC model is in its infancy, where might the model lend itself? “There may only be the need to do risk assessment of vendors as needed, maybe in procurement” said Wheeler. “In the audit management space, there may be some good on-demand use cases or capabilities, in that audits are point-in-time exercise. And for any sort of project-based or investigative type of scenario it would fit well.”

Not All on Board

Still, the idea of automated on-demand transaction monitoring spooks some compliance officers.

A common objection, said Taylor is: “Will this be too much work for me?” While false positives can certainly be an issue, the system is intended to save time by focusing in on trouble spots. “We give compliance people a lens into the five people who engaged in some risky behavior last month. You can dig in a little deeper and make it a manageable amount of work.” So in theory, automated monitoring sifts needles from hay, he says.

TRANSACTION MONITORING ON DOJ'S WISH LIST

Below, CW writer Dann Maurno looks at the Justice Department's decision not to prosecute Morgan Stanley for FCPA violations.

In its 2012 decision not to prosecute Morgan Stanley for FCPA violations, the Justice Department cited the company's strong internal policies, training, and diligent transaction monitoring.

“Morgan Stanley's compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments,” the Justice Department wrote in its decision not to prosecute Morgan Stanley.

Transaction monitoring was just part of the company's due diligence efforts; the DoJ praised its internal policies, “which were updated regularly to reflect regulatory developments and specific risks” and its frequent training. The company proved through strict documentation that its former Managing Director Garth Peterson had been trained in FCPA compliance seven times between 2002 and 2008, and been issued 35 reminders about compliance. Documentation, not transaction monitoring, spared Morgan Stanley. Still, Peterson had been called up on red flags a number of times regarding connections with politically exposed persons, but managed to talk his way out of them.

Governance, risk and compliance pundit Michael Rasmussen of GRC 20/20 observed in a 2012 paper (“Anti-Bribery & Corruption: The Good, The Bad, and The Ugly”) that ignorance of transactions is no excuse. In the Nature Sunshine FCPA action of 2009, the Securities and Exchange Commission found that the company's COO and CFO had any involvement in or knowledge of improper cash payments in Brazil, but also that they had failed to supervise the company's internal controls.

Rasmussen observed that policy and training programs are commonplace and essential, “but by themselves do not keep organizations out of hot water…the transaction-monitoring component is what makes companies different,” and at its best, keeps a company out of hot water to begin with. So transaction monitoring is just an element of a compliance program, but Rasmussen calls it the cornerstone.

—Dann Maurno

Others fear automated transaction monitoring can be too good, creating the need to deal with lots of small problems that otherwise might not come to the company's attention. “A bigger hurdle for automated compliance monitoring may be the fear of finding an issue that would otherwise be overlooked [with] sample testing,” said Oringel. “A school of thought—and one that I don't agree with—says, ‘we didn't find that problem in our limited sample' and now we have to conduct more rigorous testing and the self-reporting,” that we wouldn't have to do otherwise. Sample testing is the minimum Justice Department requirement, but, “fortunately, most compliance officers are comfortable seeking the truth that can come from automated monitoring.”

ACL's Paul is also skeptical of on-demand economics. The á la carte costs of pay-per-use lack the predictability of an on-premise installation or a cloud-based subscription. Nor is the sticker price of an on-demand solution the whole price, as implementation is not typically hands-free.

As Fox describes Oversight's T&E solution, “A company's internal IT department could [implement the solution] but they would have to write the scripts for their internal ERP systems, which takes time and money that a company does not usually want to commit. So it is more efficient to outsource the process.” Still, implementations of one to two weeks beat the one to two months that was common for enterprise applications 10 years ago, and one to two years for an ERP implementation.

Finally, despite the promised ease-of-use, Wheeler does not envision on-demand solutions catching fire outside of GRC and audit teams. “The operational folks really don't have a really good appreciation or understanding of the need to do this sort of activity. So without that innate kind of interest, they're not going to be inclined to use a tool. From my own background of working in risk management, it's not top-of-mind to many.”

So, an on-demand compliance revolution is unlikely, but for some functions it provides quick, easy, and inexpensive solutions. As Fox describes, “It's one more tool you need to have for an overall compliance program.”