Profile of an improper (corrupt) payment

If we were somehow able to see all of history’s bribes, kickbacks, conflicts of interests, duplicative payments, fake vendors, restricted entities and anomalous transactions from multiple companies and/or multiple regulatory enforcement actions, what would be some of the common threads? What common keywords do people use to describe an improper payment?

I posed these and other questions to some of the data scientists on my team who worked on a research project with the Anheuser-Busch InBev Foundation and the MIT researchers at Integrity Distributed (InDi), a nonprofit anti-fraud and anti-corruption think tank. In this research, we looked at the predictive modeling improvements when companies collaborate to fight corruption — without having to share the underlying data. Within that model, we can also analyze what attributes (or variables) were driving that model in hopes of unlocking the profile of an improper or corrupt payment.

Here were a few of my other queries for the research team:

• What’s the most common general ledger account an improper expense is booked to?
• What anti-fraud test is most common among the population of these known fraudulent transactions?
• Are manual payments the norm, or are they outliers? Are there occasions where manual payments are being abused for personal benefits?

Knowing whether a transaction is benign or indeed a high-risk or improper payment is an important distinction that often challenges prosecutors, lawyers and anti-fraud professionals like us. It takes time to gather evidence, review source documentation, run selected anti-fraud algorithms and analytics, and interview suspected individuals. If we could, with statistical confidence, quickly identify and remediate improper payments — perhaps even before they get paid out to a third party — we could not only save our organizations tremendous amounts of time and money, but also keep our organizations out of trouble with regulators.

Indeed, now more than ever, organizations using data analytics and collaborative initiatives such as InDi have an incentive to quickly and proactively identify and substantiate risks to determine if self-disclosure is necessary. That’s because, in February, the U.S. Department of Justice announced a new standard of voluntary self-disclosure. Under the new standard, one of the factors of leniency hinges on a company’s voluntary disclosure of misconduct to the U.S. Attorney’s Office “within a reasonably prompt time after the company becoming aware of the misconduct, with the burden being on the company to demonstrate timeliness,” potentially resulting in non-prosecution agreements and reduced fines. (See “United States Attorneys’ Offices Voluntary Self-Disclosure Policy,” justice.gov press release.)

What can be measured?

Roopak K. Prajapat is an advisor to the InDi team and Anheuser-Busch InBev’s lead data scientist/global director on their BrewRIGHT compliance monitoring platform, which focuses on building predictive models to proactively identify, prevent and detect potentially improper payments using machine-learning algorithms. Prajapat says that with today’s advances in machine learning and artificial intelligence (AI), the possibilities are quite exciting, especially when companies collaborate to fight corruption. Through guidance and work on the InDi project, which has (to date) processed over $75 billion in third-party vendor payments across nearly a dozen Fortune 500 companies, Prajapat is starting to garner some important insights about high-risk payments.

However, Prajapat cautions that the results are still evolving and not yet conclusive, as the models need to be further trained with better classifications (or tagging of improper payments). He also says that it’s incumbent upon legal, compliance and anti-fraud professionals to diligently identify and document any vulnerabilities or weaknesses in the organization’s processes that malicious actors could potentially exploit. By doing so, these professionals can provide invaluable guidance to the data scientists on their team. The data scientists can, in turn, use this guidance to design generative and automated solutions that can help enhance an organization’s risk mitigation strategies and strengthen its overall compliance and fraud risk management posture.

Prajapat provided a few insights from his research thus far. Some initial profiles he’s seeing across hundreds of tagged high-risk vendor payments often include the following attributes:

• Payments from vendors who have multiple bank accounts or tax IDs.
• Payments appear as urgent; i.e., when vendor creation date and approval date are very near the payment date, among other combinations.
• Payments occur in high-risk countries, as classified by Transparency International’s Global Corruption Perceptions Index.
• Amounts are expensed to general ledger accounts that fall under curated categories of high, medium and low-risk categories.
• Payments go to seemingly high-risk expense industries; e.g., transportation, customs, advertising, etc.

Another area that organizations can analyze and benchmark against their data involves the behavioral algorithms and anti-fraud tests being used across the population. There are hundreds of anti-fraud tests available to practitioners seeking to identify improper payments, which can involve conflicts of interests, bribes and kickbacks and fake vendor schemes.

The InDi team scanned well over 200 pre-built, procure-to-pay, vendor payment tests. But which tests were most frequently triggered among the high-risk payments that were tagged and verified by humans? Some interesting trends became apparent among the more than $75 billion in payments analyzed across the dozen or so companies in a variety of industries. By far, vendors getting paid outside of purchase orders seemed to be the most common occurrence at nearly 9%. The second most common theme helps demonstrate the importance of text mining and keyword searching to identify the “corrupt intent” in a payment. Keyword hits such as “special payment,” “help fee” and other suspicious terms from the team’s extensive Foreign Corrupt Practices Act (FCPA) library of hundreds of keywords were found to be the second most common trigger. Figure 1 below shows the top 10 tests most frequently occurring in the population sample.

Why should we measure?

Greg Shultz is director and global head of anti-bribery compliance at Blackrock, the world’s largest asset manager. Shultz says that using anti-corruption data analytics techniques focused on transaction data is not only a great way to mitigate risk — it also helps companies run more effectively. Shultz is responsible for ensuring that Blackrock’s real assets business, which has companies all over the world, has effective anti-bribery and compliance controls in line with DOJ’s and other regulators’ expectations.

“Comparing the above tests to your own anti-fraud and anti-corruption program is just the start,” says Shultz.

“Companies should also be putting the right technologies in place to sustain the monitoring program over time — adapting and incorporating new tests and data sources as new risks emerge. Compliance and anti-fraud monitoring is not a one-time project, with a defined start and stop. It is a business process that demonstrates continuous improvement and advancement over time.”

The future looks bright

Fortunately, the compliance monitoring and anti-fraud/anti-corruption tools available in today’s market are no longer cost prohibitive. What used to cost several million dollars in software, consultants and hardware resources ten years ago can now be deployed (in-house) for around $150,000 to $250,000 — about the same cost as one corporate fraud incident, according to the latest ACFE Report to the Nations. For mid-to-large global companies that utilize technology and machine learning in their everyday business, the regulatory expectation is that both internal audit and compliance are using at least some levels of comparable, sophisticated technology to prevent and detect instances of fraud — especially for those companies subject to U.S. and European regulations. With the prospect of increasing collaboration enabling companies to share results (without having to share underlying data), the future indeed looks bright.

Vincent M. Walden, CFE, CPA, is the CEO of Kona AI, an AI-driven anti-fraud and compliance technology company. Contact him at vwalden@konaai.com.