Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the DOJ’s approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.
In her remarks, Argentieri said, “Third, under the updated ECCP, our prosecutors will assess whether a compliance program has appropriate access to data, including to assess its effectiveness. We have added questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology available to compliance and risk management personnel. As part of this assessment, we will also consider whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes they use in their business.”
Her remarks were paired with new language in the 2024 ECCP, which stated:
Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant data sources for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit or delay access to relevant data sources, and if so, what is the company doing to address the impediments? Do compliance personnel know of and have the means to access all relevant data sources reasonably timely? Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs? How is the company managing the quality of its data sources? How does the company measure the accuracy, precision, or recall of any data analytics models it uses?
Proportionate Resource Allocation – How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company? Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?
The speech and the 2024 ECCP put new and additional requirements around a corporate compliance program in the areas of data and data analytics. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.
Evaluate Your Data Access to Ensure Unimpeded Access to Relevant Data
The first step in aligning with the DOJ’s expectations is to conduct a comprehensive audit of your current data access. Compliance professionals must ask:
- Conduct a Data Access Audit. Identify all the critical data sources for monitoring and testing your compliance policies, controls, and transactions. This includes financial transactions, communications, third-party interactions, and other data relevant to your risk profile.
- Identify and Eliminate Barriers. Once you have a map of your data landscape, scrutinize it for any impediments that may limit or delay access to critical data. These barriers could be technical, such as legacy systems that do not integrate well, or organizational, like departmental silos that restrict data flow. Develop a plan to remove these impediments, whether through technology upgrades, process improvements, or changes in data governance.
- Educate and Empower Compliance Teams. It is not enough for data to be accessible; your compliance personnel must also have the knowledge and tools to access it effectively. Invest in training programs that enhance data literacy among your team members, ensuring they can navigate and leverage data to its full potential.
The DOJ will scrutinize whether your compliance team has the same data visibility as other business units. If you find gaps, now is the time to bridge them.
Assess Resource Allocation for Data Analytics
Argentieri’s remarks also underscore the importance of resourcing. It is more than having data; your corporate compliance function must have the tools and talent to analyze it effectively. The 2024 ECCP emphasizes the importance of using data analytics tools to create efficiencies in compliance operations and measure the effectiveness of compliance programs.
- Technology Investment. Are you using advanced analytics tools? Leverage AI and machine learning to proactively identify patterns, anomalies, and potential compliance risks.
- Invest specifically in Advanced Analytics Tools. Ensure that your compliance program is equipped with state-of-the-art data analytics tools. These tools should be capable of processing large volumes of data, identifying patterns, and flagging potential risks in real-time. Artificial intelligence (AI) and machine learning (ML) can be particularly useful in predictive analytics, helping you stay ahead of emerging risks.
- Human Resources. Do you have data-savvy compliance professionals on your team? Consider upskilling current staff or hiring data analysts who understand the technical and regulatory landscapes.
- Benchmark Resources Across the Organization. Start by comparing the assets, resources, and technology available to your compliance and risk management teams with those available in other departments, particularly those focused on capturing market opportunities. Look for any imbalances that could undermine the effectiveness of your compliance efforts.
- Make a case for compliance. If compliance is underresourced, build a compelling business case for increased investment. Highlight the risks associated with inadequate compliance resources, including the potential for regulatory breaches, reputational damage, and financial losses. Use data to demonstrate how enhanced resources could improve compliance outcomes and protect the organization.
Implement Real-Time Monitoring
The DOJ’s focus on data access and analytics also means that real-time monitoring should be a cornerstone of your compliance strategy. Static, periodic reviews are no longer sufficient.
- Continuous Data Feeds. Implement systems that provide compliance officers with ongoing, real-time data. This allows for immediate detection of potential issues.
- Automated Alerts. Set up automated alerts for key risk indicators, such as unusual transaction patterns or policy violations. This ensures that your team can respond to potential breaches before they escalate.
- Integrate Compliance into Business Strategy. To ensure ongoing support, integrate compliance more closely with business strategy. Show how robust compliance efforts contribute to long-term success, aligning compliance goals with the company’s objectives.
Leverage Data to Assess Compliance Program Effectiveness
The ultimate goal of data access and analytics is to measure and improve the effectiveness of your compliance program. The DOJ is looking for companies that can demonstrate how they use data to inform their compliance efforts.
- KPIs and Metrics. Develop key performance indicators (KPIs) that track compliance program success. Metrics might include the number of detected compliance incidents, response times, or the effectiveness of training programs.
- Data-Driven Adjustments. Use data insights to make real-time adjustments to your compliance strategy. If the data shows a particular area of concern, pivot quickly and address it with targeted interventions.
- Measure the Effectiveness of Analytics Models. Develop metrics to evaluate the performance of your data analytics models. These could include detection rates, false positive/negative ratios, and the speed at which issues are identified and resolved. Review and refine these models to ensure they deliver accurate and actionable insights.
Ensure Transparency and Documentation
Finally, remember that the DOJ will be looking for transparency. Be prepared to demonstrate how you use data, make decisions, and allocate resources.
- Document, Document, Document. Keep thorough records of your data access, analysis processes, and any adjustments based on data insights.
- Audit Trails. Maintain clear audit trails that show how data influenced compliance decisions. This will be critical in demonstrating to the DOJ that your program is reactive and proactively leveraging data to prevent compliance failures.
- Monitor Data Quality. High-quality data is the backbone of effective compliance. Regularly assess the quality of your data sources, checking for accuracy, precision, and recall. Implement data governance frameworks that ensure data integrity and reliability, ensuring your analytics models are based on the best available data.
Finally, under Part III of the 2024 ECCP, in the section entitled, Does the Corporation’s Compliance Program Work in Practice?, the DOJ said prosecutors would pose the following question, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
Coupling that language from the 2024 ECCP with Nicole Argentieri’s speech, you see a clarion call for compliance professionals to elevate their programs through the availability and utilization of data and data analytics to meet the DOJ’s evolving expectations. The message is clear: data is not just a business asset but a compliance imperative. By ensuring unimpeded and robust data access, investing in analytics, implementing real-time monitoring, leveraging data to assess program effectiveness, and achieving resource parity for compliance, your compliance program will meet the DOJ’s standards and drive greater organizational integrity and resilience. In this new era of data-driven compliance, the key to success lies in strategic investment and proactive management.
The stakes have never been higher, but with the right approach, the rewards—reducing risk and increasing trust—are worth the effort.