The evolution of technological solutions to collect and analyze data continues to enhance the ability for businesses to prevent, investigate, and defend against and of business crimes.
In a two-part webinar series, BLG’s Investigations & White Collar Defense Group explores data-driven risk management in terms of compliance, investigation and defense.
Summary of session 1
Presented originally on October 14, 2021.
Presenter: Julia Webster, Senior Associate at BLG Toronto
- Rob Mason, Global Head of Regulatory Intelligence at Relativity Trace
- Jack Martin, Partner and National Director of Forensic Data Analytics at KPMG Canada
- Andrew Terrett, National Director of Legal Technology and Service Delivery at BLG
With better technology at their disposal, companies face changing expectations from regulators on how they implement compliance programs, regardless of their specific industry. Whether in Canada or elsewhere, using artificial intelligence (AI) and screening tools to monitor data in real time creates new efficiencies, from both a time and a cost perspective.
The panelists discuss:
- solutions used to process data with a view to compliance in different industries;
- the limits of automation;
- the human element in effecting a robust compliance program; and
- the future of data analysis.
Data monitoring and developing compliance solutions
Financial institutions may use data screening tools to monitor internal written and verbal communications, in order to comply with internal company codes of conduct, the policies of a primary regulator, or applicable legislation. These tools typically use a number of lexicons (that is, sets of vocabulary words) across a broad range of languages, in conjunction with artificial intelligence, to flag suspicious exchanges in real time. Generating false positives is inevitable, but assessing red flags helps to achieve accuracy through machine-based learning.
To develop solutions to mitigate fraud, a company needs to understand the key warning signs of a particular fraudulent activity. This approach has successfully served as a backbone of anti-money laundering compliance (eg FINTRAC guidance on suspicious transactions) and the detection of bribery and corruption in World Bank-funded development projects. Once a business understands the key warning signs, it can harness machine learning to screen available data, and identify warning signs with a goal to mitigating the risk of fraud.
This can include monitoring online transactions for high-risk IP addresses, monitoring for web traffic from high-risk geographical jurisdictions, cross-referencing purchasing patterns with dollar amounts and time periods, and reviewing any mismatched client account information. Customized solutions, for example developing a software robot (a “bot”) to collect new information posted to a regulator’s website, often provide the best results.
The implementation of a screening program is an iterative process. Businesses must resist a “set it and forget it” mentality and create programs that keep up to date with novel warning signs.
The human contribution and the limits of automation
Using AI to identify non-compliant transactions or behaviors goes a long way in unearthing issues faster and more efficiently, but AI does not apply the creative judgment of counsel and compliance professionals to amend policies and processes. Interpreting false positives and/or patterns in the data generated by AI tools requires human participation, as does decision-making on flagged transactions or communications.
On the machine side, key elements for success include quality data (accurate, complete and uniform) and a performant engine (reliable, robust, operating with the latest technologies, that is nimble enough to accommodate evolving parameters).
On the human side, reviewers need to be versatile and knowledgeable about the subject they are examining. A reviewer must have the ability to notice subtle warning signs and data discrepancies. Based on their findings, reviewers need to be able to identify patterns and escalate problematic transactions with sufficient justification for doing so.
Reducing the number of false positives remains crucial to improving data-driven risk management and reducing the burden on compliance professionals to review each flagged transaction of communication. Reducing false positives relies on a robust positive feedback loop, where compliance professionals identify why a flag may be a false positive. This feedback loop ensures that any machine learning trusted on in a screening tool is continually refined.
The future of data in compliance
The use of cloud computing has assisted compliance and legal professionals in overcoming infrastructure challenges for obtaining a big picture of the applicable data or monitoring real-time data.
Businesses will continue to adjust their focus from compliance breaches to proactive detection of risks. In this pursuit, AI will begin to play a greater role in identifying patterns accurately. As a next step, screening programs should be identifying more of the risk and less of the noise.
Enforcement agencies are considering how to adjust their internal prosecutorial guidelines for assessing compliance policies to account for technological advancements. For example, the United States Department of Justice’s (DOJ) “Evaluation of Corporate Compliance Programs” policy reviews whether compliance departments are empowered and positioned to detect and prevent misconduct. The DOJ evaluates a compliance department’s access to relevant sources of data, whether there are barriers that act to limit the sources of data, and if there is timely and effective monitoring and testing of that data. The DOJ also considers if businesses undergo data-driven periodic reviews and whether policies and procedures are updated to reflect the results of those reviews.
For the legal professional, this will mean wearing multiple hats: while developing expertise in the law, counsel must stay up-to-date on the tools available for implementing and simplifying their clients’ compliance processes.
Watch the webinar session
Data-driven risk management, session 2: Investigations
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.