Are data-sharing consortiums the future of anti-fraud?

More organizations are collaborating with data-sharing consortiums to safely exchange fraud risk profile information that could improve their internal prevention and detection activities. Here’s an interview with Matt Galvin, global VP of ethics and compliance at Anheuser-Busch (AB) InBev, who discusses how cross-company collaboration might affect the anti-fraud profession.

In 2019, the ACFE and SAS Institute released the Anti-Fraud Technology Benchmarking Report, derived from the answers to a 19-question survey sent to 41,181 randomly selected ACFE members. More than 1,000 responded. One question that caught my attention was, “Are organizations contributing to data-sharing consortiums to help prevent or detect fraud?” I was surprised to learn that more than a quarter of the respondents (29%) do contribute to some form of data-sharing consortium that feeds particular data into an aggregated database that all member organizations can access.

According to the report, consortiums design these initiatives to help member organizations benefit from the collective data by identifying trends and protecting themselves from known threats. Another 21% reported they don’t contribute to a consortium but would be willing to do so in the future. (See the figure of the cover and graph from the 2019 ACFE Anti-Fraud Technology Benchmarking Report above.)

Naturally, organizations can reap significant benefits by sharing data. But as the report indicates, organizations might opt out of such initiatives for numerous reasons, such as privacy concerns and logistical challenges in disclosing their data to other organizations.

If organizations could truly figure out ways to anonymously share fraud risk indicators — such as those from actual cases of bribery, conflicts of interest, financial misstatements or misappropriation of assets — it would revolutionize our profession. With that in mind, Fraud Magazine interviewed Matt Galvin, a recognized thought leader in compliance and anti-fraud technology innovation. Galvin is vice president, global ethics and compliance at Anheuser-Busch (AB) InBev and leads a team of more than 50 legal, compliance and fraud risk professionals globally.

Galvin spearheads BrewRIGHT, AB InBev’s award-winning compliance technology and transaction monitoring platform. BrewRIGHT uses machine learning and behavioral analytics to monitor billions of dollars in third-party payment activities, investigations and travel and entertainment data, and many other compliance modules as part of a data-driven compliance approach. Galvin is also very interested in the concept of corporate data-sharing consortiums and has facilitated many discussions with other business leaders on the topic.

FM: As head of ethics, compliance and investigations at AB InBev, why do you see the need for companies to collaborate and share fraud risk data in a consortium-type manner?

Galvin: Well, we’ve been working on BrewRIGHT platform for roughly four years now, and one of our stated goals at the outset was to get to the point of prediction in terms of intercepting for instances of fraud or corruption before they would occur. Now, with any sort of data set and with any sort of data science approach, the more structured data that you have with meaningful input [e.g., confirmed fraudulent payments], the better your predictive models get. Prediction to me is like the Holy Grail. But to get there you need a pretty robust data set as well as a lot of instances of what a fraudulent — or non-compliant — transaction looks like.

I’m happy to report, I guess, that as a single company, I haven’t had the number of instances of fraud and corruption needed to create a data set robust enough to get to effective prediction. So, where can I get that sort of data set? I could track this data over time, but it could take years to collect such a data set, and by then it might be obsolete. Or, perhaps, we can all start to work as part of a cross-company consortium and obtain that data set a whole lot faster.

FM: What information would be shared? And how would it be kept sanitized or anonymous?

Galvin: We have a number of models that we’re evaluating. One would be a vendor profile repository [i.e., a blacklist of high-risk vendors], and another would be a transactional profiling repository [i.e., a library of validated risky, fraudulent or non-compliant transactions]. Actually, I’m very excited as I’ve recently been thinking about how to put contracts on a distributed ledger. As background, a distributed ledger is a database that is consensually shared and synchronized across multiple sites, institutions or geographies and accessible by multiple people. For reference, blockchain is a type of distributed ledger.

Currently, there’s a fascinating legal contract consortium in place now that I’m partnering with to take [AB Inbev’s] higher-risk vendor management contracts and put them on a distributed ledger in a way that would allow us to extract the key aspects of the data for each contract.

The nice thing about this kind of distributed ledger technology is it allows you to reliably share information blindly (or anonymously), but also only shares what you need to. In many respects, like with a lot of our transactional payment models, you wouldn’t share any transaction-specific information at all. What you would be sharing is the formula [or algorithm] generated from the transaction and then get feedback on that formula from other members of the consortium. It’s basically like sharing the recipe of a fraud-risk event without sharing any of the ingredients. In that model, you just get feedback on how good the recipe is — effectively laying the groundwork for distributed ledger technology.

Galvin: Two separate questions, right? How universal can it be and then how would it actually work? The two are somewhat related. When I look at AB InBev as a company, we’re operating in over 80 countries where roughly 90% of our value chain is local. So as much as we’re global, we are also hyper-local. This creates a virtual laboratory of events and risk algorithms to learn from throughout the supply chain because we’re working with so many people locally in different markets.

Now, that doesn’t mean every algorithm I’ve developed will work for every company everywhere. But it does give me a high degree of confidence. From an accounting perspective, most companies — regardless of industry — follow the same accounting rules of what must be captured in payments or sales. For example, most follow generally accepted accounting principles [GAAP] and/or international financial reporting standards. I’ve talked to a lot of different multinational companies in the market — across energy, pharma, technology and consumer products, to name a few — and I don’t believe that every algorithm I have will work for everyone everywhere. But I do believe that some of my algorithms work for everyone somewhere.

FM: What advice do you have for investigators or compliance professionals for becoming more familiar with this consortium concept?

Galvin: In the short term, where I’ve seen companies have greater successes is when faced with the choice between building or buying technology, they choose to build. For the investment price of a data scientist on your compliance or investigations team (which, in the current economy, you can get someone decent), you can start to understand the challenges that you have and start figuring out things that can create a lot of quick wins for you.

Next, I would start looking at what data sets you have that are going to be overlapping with other organizations — instead of buying or renting a third-party tool that sort of sends your own data back at you. That’s not really improved by any sort of expertise, nor is that learning in any sort of important way. This is where the consortium is going to bring tremendous value — where you can get a lot of quick wins, leveraging the collective knowledge of broad, diverse data sets.

FM: So, your advice is, if you’re not doing analytics now internally, you need to think about hiring a data scientist. Because eventually, when this consortium is ready, you need to have something to contribute.

Galvin: Yes. You mentioned those stats that SAS and the ACFE put out about different developments and appetite for fraud-based consortiums, and there are different appetites and experiences with that. But when you look outside of fraud, you can think about the foundation principles of how the credit card system works in the banking industry.

To me, it’s no accident that credit cards are way advanced in terms of machine learning to spot fraud because they are centralized, and a lot of transactions flow through them. It’s a consortium of banks sharing credit card fraud risk data. That was a decision by banks to not replicate processes, and something that should indeed be centralized.

In the future, compliance and anti-fraud should not really function as something that everybody does manually and in a silo. There’s going be some aspects of it that you couldn’t replicate as a consortium, sure, but so much of what we do as compliance officers and investigators in our own companies is the same as what other compliance officers and investigative professionals do at their companies. That’s going to work a lot better as part of consortium where collaboration is key.

FM: Do you think you can give a time frame for when a viable consortium beta would be available to organizations?

Galvin: So, I am working right now with one company on a tech solution to get something in beta in the first quarter of this year, and then I believe things will start moving very quickly. Stay tuned.

Vincent M. Walden, CFE, CPA, is a managing director with Alvarez & Marsal’s Disputes and Investigations Practice and assists companies with their anti-fraud, investigation and compliance monitoring programs. He welcomes your feedback. Contact Walden at vwalden@alvarezandmarsal.com. Walden thanks Matt Galvin for his contributions to this column.