Categories
Compliance Tip of the Day

Compliance Tip of the Day: Why Data Access is Key to Compliance Effectiveness

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we explore why the DOJ will now evaluate whether compliance teams have adequate access to the necessary data to assess the effectiveness of their programs.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The 2024 ECCP Update on Data Access

The award winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the 2024 update to the Department of Justice’s guidelines for corporate compliance programs, focusing on data and data access.

Tom and Matt explore the significance of these updates and whether they stem from companies showing advancements in data analytics or the DOJ recognizing gaps in data access for compliance officers. The discussion highlights the challenges compliance officers face, especially with diverse ERP systems and data silos, and provides insights into how compliance officers can leverage these guidelines to advocate for better data access within their organizations. The episode also breaks down specific questions from the DOJ’s guidelines, offering practical advice on addressing obstacles to data, resources for data access, and data maintenance.

Key Highlights:

  • The Importance of Data Access in Compliance
  • Challenges in Data Access for Compliance Officers
  • DOJ’s Six Key Questions on Data Access
  • Addressing Data Access Impediments
  • Tools and Resources for Data Analytics
  • Communicating with the Board on Data Analytics

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Argentieri Speech and 2024 ECCP: Data Access and Data Analytics

Deputy Assistant Attorney General Nicole M. Argentieri’s speech highlighted a critical shift in the DOJ’s approach to evaluating corporate compliance programs. As outlined in the updated 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), the emphasis on data access signals a new era where compliance professionals are expected to wield data with the same rigor and sophistication as their business counterparts.

In her remarks, Argentieri said, “Third, under the updated ECCP, our prosecutors will assess whether a compliance program has appropriate access to data, including to assess its effectiveness. We have added questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology available to compliance and risk management personnel. As part of this assessment, we will also consider whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes they use in their business.”

Her remarks were paired with new language in the 2024 ECCP, which stated:

Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant data sources for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit or delay access to relevant data sources, and if so, what is the company doing to address the impediments? Do compliance personnel know of and have the means to access all relevant data sources reasonably timely? Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs? How is the company managing the quality of its data sources? How does the company measure the accuracy, precision, or recall of any data analytics models it uses?

Proportionate Resource Allocation – How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company? Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?

The speech and the 2024 ECCP put new and additional requirements around a corporate compliance program in the areas of data and data analytics. But how exactly should compliance teams navigate these heightened expectations? Here’s what you must do to ensure your compliance program meets these new standards.

Evaluate Your Data Access to Ensure Unimpeded Access to Relevant Data

The first step in aligning with the DOJ’s expectations is to conduct a comprehensive audit of your current data access. Compliance professionals must ask:

  • Conduct a Data Access Audit. Identify all the critical data sources for monitoring and testing your compliance policies, controls, and transactions. This includes financial transactions, communications, third-party interactions, and other data relevant to your risk profile.
  • Identify and Eliminate Barriers. Once you have a map of your data landscape, scrutinize it for any impediments that may limit or delay access to critical data. These barriers could be technical, such as legacy systems that do not integrate well, or organizational, like departmental silos that restrict data flow. Develop a plan to remove these impediments, whether through technology upgrades, process improvements, or changes in data governance.
  • Educate and Empower Compliance Teams. It is not enough for data to be accessible; your compliance personnel must also have the knowledge and tools to access it effectively. Invest in training programs that enhance data literacy among your team members, ensuring they can navigate and leverage data to its full potential.

The DOJ will scrutinize whether your compliance team has the same data visibility as other business units. If you find gaps, now is the time to bridge them.

Assess Resource Allocation for Data Analytics

Argentieri’s remarks also underscore the importance of resourcing. It is more than having data; your corporate compliance function must have the tools and talent to analyze it effectively. The 2024 ECCP emphasizes the importance of using data analytics tools to create efficiencies in compliance operations and measure the effectiveness of compliance programs.

  • Technology Investment. Are you using advanced analytics tools? Leverage AI and machine learning to proactively identify patterns, anomalies, and potential compliance risks.
  • Invest specifically in Advanced Analytics Tools. Ensure that your compliance program is equipped with state-of-the-art data analytics tools. These tools should be capable of processing large volumes of data, identifying patterns, and flagging potential risks in real-time. Artificial intelligence (AI) and machine learning (ML) can be particularly useful in predictive analytics, helping you stay ahead of emerging risks.
  • Human Resources. Do you have data-savvy compliance professionals on your team? Consider upskilling current staff or hiring data analysts who understand the technical and regulatory landscapes.
  • Benchmark Resources Across the Organization. Start by comparing the assets, resources, and technology available to your compliance and risk management teams with those available in other departments, particularly those focused on capturing market opportunities. Look for any imbalances that could undermine the effectiveness of your compliance efforts.
  • Make a case for compliance. If compliance is underresourced, build a compelling business case for increased investment. Highlight the risks associated with inadequate compliance resources, including the potential for regulatory breaches, reputational damage, and financial losses. Use data to demonstrate how enhanced resources could improve compliance outcomes and protect the organization.

Implement Real-Time Monitoring

The DOJ’s focus on data access and analytics also means that real-time monitoring should be a cornerstone of your compliance strategy. Static, periodic reviews are no longer sufficient.

  • Continuous Data Feeds. Implement systems that provide compliance officers with ongoing, real-time data. This allows for immediate detection of potential issues.
  • Automated Alerts. Set up automated alerts for key risk indicators, such as unusual transaction patterns or policy violations. This ensures that your team can respond to potential breaches before they escalate.
  • Integrate Compliance into Business Strategy. To ensure ongoing support, integrate compliance more closely with business strategy. Show how robust compliance efforts contribute to long-term success, aligning compliance goals with the company’s objectives.

Leverage Data to Assess Compliance Program Effectiveness

The ultimate goal of data access and analytics is to measure and improve the effectiveness of your compliance program. The DOJ is looking for companies that can demonstrate how they use data to inform their compliance efforts.

  • KPIs and Metrics. Develop key performance indicators (KPIs) that track compliance program success. Metrics might include the number of detected compliance incidents, response times, or the effectiveness of training programs.
  • Data-Driven Adjustments. Use data insights to make real-time adjustments to your compliance strategy. If the data shows a particular area of concern, pivot quickly and address it with targeted interventions.
  • Measure the Effectiveness of Analytics Models. Develop metrics to evaluate the performance of your data analytics models. These could include detection rates, false positive/negative ratios, and the speed at which issues are identified and resolved. Review and refine these models to ensure they deliver accurate and actionable insights.

Ensure Transparency and Documentation

Finally, remember that the DOJ will be looking for transparency. Be prepared to demonstrate how you use data, make decisions, and allocate resources.

  • Document, Document, Document. Keep thorough records of your data access, analysis processes, and any adjustments based on data insights.
  • Audit Trails. Maintain clear audit trails that show how data influenced compliance decisions. This will be critical in demonstrating to the DOJ that your program is reactive and proactively leveraging data to prevent compliance failures.
  • Monitor Data Quality. High-quality data is the backbone of effective compliance. Regularly assess the quality of your data sources, checking for accuracy, precision, and recall. Implement data governance frameworks that ensure data integrity and reliability, ensuring your analytics models are based on the best available data.

Finally, under Part III of the 2024 ECCP, in the section entitled, Does the Corporation’s Compliance Program Work in Practice?, the DOJ said prosecutors would pose the following question, “Prosecutors should also assess how the company has leveraged its  data to gain insights into the effectiveness of its compliance program and otherwise sought to  promote an organizational culture that encourages ethical conduct and a commitment to  compliance with the law.”

Coupling that language from the 2024 ECCP with Nicole Argentieri’s speech, you see a clarion call for compliance professionals to elevate their programs through the availability and utilization of data and data analytics to meet the DOJ’s evolving expectations. The message is clear: data is not just a business asset but a compliance imperative. By ensuring unimpeded and robust data access, investing in analytics, implementing real-time monitoring, leveraging data to assess program effectiveness, and achieving resource parity for compliance, your compliance program will meet the DOJ’s standards and drive greater organizational integrity and resilience. In this new era of data-driven compliance, the key to success lies in strategic investment and proactive management.

The stakes have never been higher, but with the right approach, the rewards—reducing risk and increasing trust—are worth the effort.

Categories
Innovation in Compliance

Innovation in Compliance: Unpacking Healthcare Compliance with Maria Villanueva

Innovation comes in many forms, and compliance professionals must be ready for and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom welcomes compliance aficionado Maria Villanueva to dive deeply into healthcare compliance.

In this episode, Tom and Maria discuss her diverse career trajectory from accounting to healthcare compliance and delve into the complexities of ethical selling, aggregate spending challenges, and the growing role of AI in the compliance industry. Drawing on her extensive experience, she offers valuable insights on balancing roles in compliance and HR, the impact of data analytics, and the future landscape of healthcare compliance.

Key Highlights

  • Passion for Healthcare
  • Challenges in Healthcare Compliance
  • Balancing Compliance and HR Roles
  • The Role of Data Analytics and AI in Compliance
  • Future of Healthcare Compliance

Resources:

Maria Villanueva on LinkedIn 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Data Driven Compliance and Hybrid Work

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In today’s episode, we consider the need for new or additional analytics in the post-Covid era of hybrid work.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: What The Pandemic Changed for Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider the ongoing trends that accelerated during the pandemic year of 2022 and how these changes have impacted compliance literally forever.

These changes include:

  1. Compliance Convergence
  2. Public/private partnership in the ABC fight
  3. Data, Data, Data
  4. Compliance as an ethical & business advantage

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Data Driven Compliance

Data Driven Compliance: Sheetal Parikh on Banking Integration: Connecting Banks and Fintech Companies

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast hosted by Tom Fox. It features an in-depth conversation about the uses of data and data analytics in compliance programs. Data Driven Compliance is back with another exciting episode. The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions. Today, we look at the intersection of data analytics, banking, and compliance with Sheetal Parikh.

Sheetal Parikh is a seasoned attorney with over 18 years of experience in the financial services industry, currently serving as the Associate General Counsel and VP of Compliance at Treasury Prime. Drawing from her extensive background in securities and commodities litigation and regulatory work, Parikh advocates for a collaborative approach to integrating Fintech and banks, with a strong emphasis on compliance. She believes that Treasury Prime’s role is not to offload compliance functions but to provide banks and Fintech with a toolkit and set of tools, both through technology and expertise, to establish a compliance program that suits their specific risk profile and use case. Parikh also foresees a future where fintech companies offering banking products and services will face more direct oversight and regulation, as they are currently regulated indirectly through banks. Join Tom Fox and Sheetal Parikh on this episode of the Data Driven Compliance podcast to delve deeper into this topic.

Highlights Include:

  • Banking Integration and Compliance Solutions
  • Responsible Innovation in the Banking Industry
  •  Consequences of Regulatory Non-Compliance
  • Regulating Fintech Companies as Banks

 Resources:

Sheetal Parikh on LinkedIn

Treasury Prime

 Tom Fox 

Connect with me on the following sites:

Threads

Instagram

Facebook

YouTube

Twitter

Categories
Corruption, Crime and Compliance

Catching Up with California and State Data Privacy Laws

California’s data privacy regulations, primarily embodied in the California Consumer Privacy Act (CCPA) and its extension through the California Privacy Rights Act (CPRA), constitute a pioneering and influential framework. These regulations, effective from 2018 and further strengthened in 2020, set a standard for data protection not only within the state but also across the national and global economy. In this episode of Corruption, Crime and Compliance, Michael Volkov explores the nuances of the CCPA and CPRA, and the evolving data privacy landscape.

You’ll hear Michael talk about:

  • The lack of a federal data privacy law in the United States has led to a complex patchwork of state laws. Businesses are faced with the challenge of navigating these varied regulations, which contributes to compliance complexities.
  • California, through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), is a leader in data privacy regulation in the United States, with implications for both the national and global economy. The CPRA, enacted in 2020, establishes the California Privacy Protection Agency (CPPA) to enforce the law robustly.
  • The CPRA introduces critical changes, including: 
  • Protection of employee and business-to-business personal information, which is now subject to the same privacy protections as consumer personal information. 
  • Enhanced consumer rights, such as the right to access, delete, and correct their personal information, and the right to opt out of the sale of their personal information.
  • Companies are now obligated to implement reasonable security precautions and undergo annual cybersecurity audits and risk assessments.
  • In addition to California, other states such as Virginia, Colorado, Utah, Iowa, and Connecticut have also enacted data privacy laws that echo the GDPR. Businesses must stay up-to-date on evolving compliance requirements and adapt their systems accordingly.
  • Compliance issues comprise risk assessments, impact assessments, adherence to data breach requirements, and compliance with notification standards. Companies are developing systems based on the most stringent set of laws to guarantee compliance.

 

KEY QUOTES

“We have a patchwork of laws that apply in the United States. Unfortunately, we continue to suffer from the absence of a federal data privacy and breach notification law. Congress has tried for years to broker a deal here, but it has never been able to overcome strong lobbying forces. Whether it’s high tech trial lawyers, law enforcement, or other gadflies, the public continues to suffer.” – Michael Volkov

 

“Many commentators have suggested that California’s data privacy laws and regulations are starting to look closer and closer to the EU’s GDPR regime.” – Michael Volkov

 

“To me, we’re getting into a more strict regulation. We already have, under the California Consumer Privacy Act, a requirement to have on your website: an ‘opt out’ in terms of any information that you may provide to a website, that it can’t be used by the entity for sharing or selling or whatever consumer products purposes. So keep tabs on the California events.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Data Driven Compliance

The Uses of Data Driven Compliance: Part 4 – What to Ask For and How to Ask For It

Welcome to Data Driven Compliance. In this podcast, we discuss how to use data to improve and enhance the effectiveness of your compliance program, creating greater business efficiency, all leading to more return on investment for your compliance regime. Join host Tom Fox as he explores how data will drive your compliance program to the next level. This podcast is sponsored by KonaAI.

I recently had the opportunity to visit with Vince Walden, founder and CEO of KonaAI, for a podcast series on the uses of data driven compliance. Over these five podcasts, we will discuss generative AI and ChatGPT in compliance, the profiles of a corrupt payment, making the business case for data-driven compliance, what to ask for and how to ask for it, and some success stories. In Part 4, we discuss what data a CCO needs to ask for and how to do so.

Vince Walden brings knowledge and experience in continuous compliance monitoring and risk assessment processes. Walden’s perspective on the topic is that it should be approached as a journey, not a one-time program. He emphasizes the importance of proactive risk assessments and continuous monitoring, advocating for an iterative approach demonstrating constant improvement in compliance efforts. This perspective is shaped by his belief that meeting regulatory expectations requires a diligent and ongoing commitment to improvement.

Walden also suggests that data sources should be identified based on the results of the fraud risk assessment and that the ease of obtaining the data should be considered when prioritizing analytics projects. To delve deeper into what data a CCO should ask for and how to ask for it, join Tom Fox and Vince Walden on this Data Driven Compliance podcast episode.

Key Highlights:

  • Continuous improvement through risk assessments and monitoring
  • Effective risk assessment through diverse data sources
  • Uncovering hidden relationships through expense categories

Resources:

Connect with Vince Walden on LinkedIn

Check out Kona AI

Connect with Tom Fox on LinkedIn

Categories
Blog

What Data to Ask For and How to Ask for It

I recently had the opportunity to visit with Vince Walden, founder and CEO of KonaAI, for a podcast series on the uses of data driven compliance. KonaAI is the sponsor of those podcasts. This blog post series will flesh out the podcast show notes over the next five blog posts, and we will discuss generative AI and ChatGPT in compliance, the profiles of a corrupt payment, making the business case for data-driven compliance, what to ask for and how to ask for it and some success stories. In Part 4, we will explore what data to ask for and how to ask for it.

As always, I am joined by Vince Walden, founder and CEO of KonaAI. There is a quiet revolution happening in the realm of compliance. It’s one that, if harnessed correctly, can turn a typically reactive process into a proactive strategy. I am, of course, talking about data-driven compliance. By using the vast amounts of data your organization collects, you can uncover potential compliance risks before they become actual problems. This approach can be a game-changer for your role as a compliance officer and your organization’s overall risk management strategy. No longer will you be caught off guard. Instead, you’ll lead the charge with real-time insights and actionable data.

Imagine a world where compliance isn’t a headache but a strategic advantage. You’re not constantly putting out fires but predicting and preventing them. It might sound like a dream, but it doesn’t have to be. How so? Well, by adopting a data-driven approach to compliance. This innovative method allows you to identify, assess, and manage potential compliance risks based on actual data. It’s about staying one step ahead, making informed decisions, and truly adding value to your organization. It’s not just about avoiding penalties and meeting regulations anymore. It’s about creating an environment of continuous improvement and proactive risk management.

Let’s paint a picture. You’re in a game of chess. But in this game, you’re not just reacting to your opponent’s moves. You’re anticipating them, strategizing, and making proactive decisions. That’s the power a data-driven approach to compliance can bring to your role as a compliance officer. It’s more than just crunching numbers and keeping up with regulations. It’s about leveraging the power of data to identify and mitigate risks before they materialize. It’s about transforming compliance from a cost center into a strategic asset. So, if you’re curious about how to make this data-driven shift, buckle up because we’re about to dive deep into this transformative realm.

Compliance monitoring and risk assessment are crucial components of any effective compliance program. In a recent episode of the podcast “Data Driven Compliance,” hosted by Tom Fox and featuring Vince Walden, the topic of continuous compliance monitoring and risk assessment process was explored in depth. This article aims to comprehensively analyze the critical factors that impact this process, discuss the tradeoffs involved in balancing different factors, and explore the challenges associated with other approaches.

Vince highlighted the importance of starting with a fraud risk assessment. This initial step allows organizations to identify high-frequency and high-impact risks and implement mitigating controls. Compliance professionals can prioritize their efforts and focus on the most critical areas by assessing the likelihood and impact of various risks on a scale of one to ten.

Data sources play a crucial role in risk assessment. Financial accounting systems and third-party data are valuable sources of information for identifying and mitigating risks. Tracking and categorizing expenses in accounting systems is significant for identifying anomalies and assigning risk scores. Vince highlighted the significance of having a centralized system, such as the Kona platform, to streamline this process.

However, relying solely on analytics without integrating them into the fraud risk assessment would be best. He emphasized the need for alignment between data analysis and risk assessment to ensure efforts are focused on addressing the identified risks. Simply conducting data analytics without considering the underlying risks may not yield meaningful results.

One of the challenges in continuous compliance monitoring and risk assessment is the availability and accessibility of data. Some data sources may need help, requiring compliance professionals to prioritize based on the ease of data acquisition and its value. For example, if faced with choosing to conduct a data analytics project in Brazil or China, Walden suggested starting with Brazil due to the relative ease of obtaining data from that region.

Another challenge lies in the scope of compliance monitoring. Walden emphasized that compliance monitoring is not a one-time, all-encompassing effort. It is a journey that involves proactively assessing risks and monitoring them from location to location. Compliance professionals should focus on demonstrating continuous improvement rather than tackling all threats at once. This approach aligns with regulators’ expectations of an effective due diligence program.

In addition to the primary focus on risk assessment, Walden highlighted the importance of considering ancillary areas of inquiry. For instance, looking at places such as charitable donations or marketing spending can provide valuable insights into potential risks of bribery or corruption. The KonaAI tool can help correlate these ancillary data points and provide a more comprehensive view of compliance risks.

In conclusion, continuous compliance monitoring and risk assessment require a thoughtful and balanced approach. Organizations can identify and prioritize risks, starting with a comprehensive fraud risk assessment. Data sources, such as financial accounting systems and third-party data, play a crucial role in this process. However, aligning data analytics with the identified risks is essential to ensure meaningful results. Compliance professionals should also consider the data availability challenges and scope of compliance monitoring. Organizations can meet regulatory expectations and enhance their compliance programs by demonstrating continuous improvement and considering ancillary areas of inquiry.

Resources:

Connect with Vince Walden on LinkedIn

Check out KonaAI

Connect with Tom Fox on LinkedIn