
Who owns transaction and controls monitoring?
Read Time: 5 mins
Written By:
Vincent M. Walden, CFE, CPA
Anti-bribery and anti-corruption (ABAC) programs are a critical priority for corporate organizations operating in today’s globalized business environment as these programs enable ethical business behavior and comply with various regulations around the world. Failing to adopt an approach focused on data and analytics and continuing a siloed approach toward compliance can allow illegal and unethical acts to go unnoticed, even resulting in significant fines and penalties as software company SAP SE (SAP) learned last year. In January 2024, the U.S. Department of Justice (DOJ) fined the German-based company $222 million, and the U.S. Securities and Exchange Commission (SEC) hit the company with a $98 million fine for paying bribes to South African and Indonesian officials.
Despite penalties for noncompliance, many organizations don’t have a comprehensive strategy for their compliance programs. In my experience at a Fortune 100 global technology company, I’ve observed how many organizations fall short of effectively addressing bribery and corruption risks. This column highlights the pitfalls of traditional compliance methods and underscores the necessity of a data-driven paradigm, as emphasized in the DOJ’s 2024 updates to the Evaluation of Corporate Compliance Programs (ECCP), even in light of U.S. priority shifts concerning the Foreign Corrupt Practices Act (FCPA).
On Feb. 10, the White House issued an executive order pausing FCPA investigations and enforcement actions for at least 180 days. The FCPA prohibits the bribery of foreign officials to obtain or retain business, and it applies to U.S. entities and foreign firms using U.S. interstate commerce to make corrupt payments. The law’s accounting provisions require companies to keep accurate records and maintain internal controls. The recent executive order directs the U.S. Attorney General to review existing FCPA guidelines, resolve ongoing cases, and align future policies with U.S. economic and foreign policy interests.
The order affects the DOJ’s criminal prosecutions, not the SEC’s civil enforcement of FCPA provisions. Companies must continue to comply with the FCPA and other anti-bribery laws globally.
In a Feb. 7 memorandum, U.S. Attorney General Pamela Bondi directed the Criminal Division’s FCPA Unit to “prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs [Transnational Criminal Organizations], and shift focus away from investigations and cases that do not involve such a connection. Examples of such cases include bribery of foreign officials to facilitate human smuggling and the trafficking of narcotics and firearms.”
Details on the FCPA — including anti-bribery and accounting provisions, jurisdiction and enforcement — are available from the DOJ’s FCPA Resource Guide. The guide covers what makes a corporate compliance program effective and the factors that the DOJ and SEC consider when deciding to pursue an investigation, including voluntary self-disclosure, cooperation and remediation.
And while the U.S. has, at least temporarily, shifted its focus to bribery and corruption related to cartels, other global laws and regulations still require attention to anti-bribery and corruption related to foreign officials. For example, the U.K. Bribery Act 2010 criminalizes bribery and corruption in the U.K. and abroad and applies to cases of public- and private-sector bribery. The U.K. government’s guidance document has six principles for organizations to follow when developing anti-bribery procedures and policies:
The European Union also has proposed legislation in the works aimed at preventing and combating corruption within its member states and internationally. The new law would replace the 1997 Convention on fighting corruption involving officials of the EU or officials of EU countries and the 2003 Council Framework Decision on combating corruption in the private sector. It would also amend the Directive (EU) 2017/1371.
This legislative proposal will incorporate international standards that are binding on the EU, such as those in the United Nations Convention Against Corruption (UNCAC), which includes ABAC provisions.
Despite the risks of noncompliance with ABAC laws, such as sanctions and enforcement actions against companies and individuals, many organizations remain entrenched in outdated practices, complete with manual processes, fragmented oversight and insufficient data utilization. According to the DOJ and the SEC, the primary reasons for ABAC noncompliance include:
These approaches not only increase an organization’s exposure to regulatory action but also undermine trust and organizational integrity.
Recognizing the limitations of conventional methods, the DOJ’s 2024 ECCP updates call for a transformative shift toward data-driven ABAC compliance programs. These updates stress the importance of leveraging data analytics to proactively identify, assess and mitigate ABAC risks. Key pillars of this approach include:
A comprehensive ABAC compliance framework relies on the integration of three critical data dimensions: internal business, internal compliance and external data. The diagram below illustrates how compliance programs can leverage data sources to strengthen their compliance programs.
Internal business/transaction data includes three key domains:
These domains interconnect to reveal potential red flags, such as GTE transactions linked to vendors or payments.
Internal compliance data tools such as codes of business conduct (COBC), ABAC training, conflict-of-interest (COI) disclosures, and whistleblower hotlines provide critical oversight mechanisms and provide valuable insights into an organization’s compliance culture.
External data sources such as the Corruption Perceptions Index (CPI), U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) sanctions lists and state-owned enterprise (SOE) information enrich the risk-assessment process by offering broader context.
By integrating these three data dimensions — internal business, internal compliance and external data — organizations can identify and mitigate risks across the procure-to-pay, quote-to-cash and business courtesies domains, ensuring a robust compliance strategy. Adding a fourth data dimension — internal company fraud data — enables organizations to identify corrupt third parties, as well as collusion among employees, vendors and customers, and groups of bad actors. Organizations can use technology (transaction geo location, device intelligence, internal and external user-behavior analytics and graph databases for link analysis) to build a robust compliance framework.
Despite clear regulatory guidance, many organizations are resistant to adopting data-driven compliance strategies for the following reasons:
Such inertia not only heightens regulatory risks but also stifles an organization’s ability to innovate and compete effectively.
Adopting a data-driven compliance framework offers significant advantages, including:
For example, integrating data from internal transactions, compliance activities and external sources can enable organizations to monitor risk areas such as procure-to-pay cycles, vendor onboarding, travel expenses and customer life cycle management. Advanced analytics tools can generate real-time alerts and insights, enabling swift corrective actions.
To move beyond a traditional approach, compliance organizations must:
Even with the new U.S. presidential administration shifting its priorities on FCPA enforcement, companies around the world shouldn’t lose sight of their anti-corruption-related initiatives. Recent DOJ guidance on FCPA enforcement likely won’t dilute the recent emphasis on data and analytics. The established practices of the DOJ and the SEC and the global focus and acceptance of anti-bribery and anti-corruption measures may continue the robust approach to FCPA enforcement in the long term, supported by advanced data analysis. The traditional approach of many compliance organizations isn’t tenable at a time of evolving regulatory demands and increasingly complex global business operations. By leveraging data analytics, companies can mitigate ABAC risks and enhance their overall compliance posture and competitive advantage. Recognizing compliance as a strategic imperative and embracing the power of data can drive meaningful change.
Rajesh Melappalayam, CFE, is a seasoned compliance and risk management expert with extensive experience in helping Fortune 100 companies navigate complex regulatory landscapes. Contact him at rmelappa@rannnconsult.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Vincent M. Walden, CFE, CPA
Read Time: 7 mins
Written By:
Jennifer Liebman, CFE
Read Time: 22 mins
Written By:
Mary Breslin, CFE, CIA
Read Time: 5 mins
Written By:
Vincent M. Walden, CFE, CPA
Read Time: 7 mins
Written By:
Jennifer Liebman, CFE
Read Time: 22 mins
Written By:
Mary Breslin, CFE, CIA