Data-driven compliance: A new frontier for anti-bribery and anti-corruption risk programs

Despite significant regulatory advancements and the availability of innovative tools, many anti-bribery and anti-corruption compliance teams avoid implementing data-driven strategies. The author emphasizes the necessity of embracing an innovative approach to address these risks in the wake of evolving regulatory and enforcement demands.

Anti-bribery and anti-corruption (ABAC) programs are a critical priority for corporate organizations operating in today’s globalized business environment as these programs enable ethical business behavior and comply with various regulations around the world. Failing to adopt an approach focused on data and analytics and continuing a siloed approach toward compliance can allow illegal and unethical acts to go unnoticed, even resulting in significant fines and penalties as software company SAP SE (SAP) learned last year. In January 2024, the U.S. Department of Justice (DOJ) fined the German-based company $222 million, and the U.S. Securities and Exchange Commission (SEC) hit the company with a $98 million fine for paying bribes to South African and Indonesian officials.

Despite penalties for noncompliance, many organizations don’t have a comprehensive strategy for their compliance programs. In my experience at a Fortune 100 global technology company, I’ve observed how many organizations fall short of effectively addressing bribery and corruption risks. This column highlights the pitfalls of traditional compliance methods and underscores the necessity of a data-driven paradigm, as emphasized in the DOJ’s 2024 updates to the Evaluation of Corporate Compliance Programs (ECCP), even in light of U.S. priority shifts concerning the Foreign Corrupt Practices Act (FCPA).

The evolving regulatory landscape

On Feb. 10, the White House issued an executive order pausing FCPA investigations and enforcement actions for at least 180 days. The FCPA prohibits the bribery of foreign officials to obtain or retain business, and it applies to U.S. entities and foreign firms using U.S. interstate commerce to make corrupt payments. The law’s accounting provisions require companies to keep accurate records and maintain internal controls. The recent executive order directs the U.S. Attorney General to review existing FCPA guidelines, resolve ongoing cases, and align future policies with U.S. economic and foreign policy interests.

The order affects the DOJ’s criminal prosecutions, not the SEC’s civil enforcement of FCPA provisions. Companies must continue to comply with the FCPA and other anti-bribery laws globally.

In a Feb. 7 memorandum, U.S. Attorney General Pamela Bondi directed the Criminal Division’s FCPA Unit to “prioritize investigations related to foreign bribery that facilitates the criminal operations of Cartels and TCOs [Transnational Criminal Organizations], and shift focus away from investigations and cases that do not involve such a connection. Examples of such cases include bribery of foreign officials to facilitate human smuggling and the trafficking of narcotics and firearms.”

Details on the FCPA — including anti-bribery and accounting provisions, jurisdiction and enforcement — are available from the DOJ’s FCPA Resource Guide. The guide covers what makes a corporate compliance program effective and the factors that the DOJ and SEC consider when deciding to pursue an investigation, including voluntary self-disclosure, cooperation and remediation.

And while the U.S. has, at least temporarily, shifted its focus to bribery and corruption related to cartels, other global laws and regulations still require attention to anti-bribery and corruption related to foreign officials. For example, the U.K. Bribery Act 2010 criminalizes bribery and corruption in the U.K. and abroad and applies to cases of public- and private-sector bribery. The U.K. government’s guidance document has six principles for organizations to follow when developing anti-bribery procedures and policies:

1. Proportionate procedures: Bribery prevention procedures within an organization “are proportionate to the bribery risks it faces and to the nature, scale and complexity of” the organization’s activities.
2. Top-level commitment: Upper-level managers are “committed to preventing bribery by persons associated with it.”
3. Risk assessment: An organization conducts periodic, informed, documented assessments of “the nature and extent of its exposure to potential external and internal risks of bribery.”
4. Due diligence: To mitigate identified bribery risks, an organization “applies due diligence procedures, taking a proportionate and risk-based approach” toward those performing services for or on behalf of the organization.
5. Communication (including training): Through internal and external communication and training, an organization works “to ensure that its bribery prevention policies and procedures are embedded and understood” throughout the organization.
6. Monitoring and review: The organization “monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.”

The European Union also has proposed legislation in the works aimed at preventing and combating corruption within its member states and internationally. The new law would replace the 1997 Convention on fighting corruption involving officials of the EU or officials of EU countries and the 2003 Council Framework Decision on combating corruption in the private sector. It would also amend the Directive (EU) 2017/1371.

This legislative proposal will incorporate international standards that are binding on the EU, such as those in the United Nations Convention Against Corruption (UNCAC), which includes ABAC provisions.

The pitfalls of traditional compliance

Despite the risks of noncompliance with ABAC laws, such as sanctions and enforcement actions against companies and individuals, many organizations remain entrenched in outdated practices, complete with manual processes, fragmented oversight and insufficient data utilization. According to the DOJ and the SEC, the primary reasons for ABAC noncompliance include:

• Lack of a genuine compliance culture: A superficial commitment to compliance creates an environment that doesn’t prioritize ethical behavior.
• Inadequate internal controls: Weak systems and processes leave organizations vulnerable to bribery, corruption and fraud.
• Insufficient due diligence: Minimal scrutiny of third parties, such as vendors, distributors and partners, introduces significant risks.
• Lack of training and awareness: Without proper education, employees might inadvertently engage in actions that violate ABAC provisions.

These approaches not only increase an organization’s exposure to regulatory action but also undermine trust and organizational integrity.

The DOJ's 2024 mandate: A data-driven transformation

Recognizing the limitations of conventional methods, the DOJ’s 2024 ECCP updates call for a transformative shift toward data-driven ABAC compliance programs. These updates stress the importance of leveraging data analytics to proactively identify, assess and mitigate ABAC risks. Key pillars of this approach include:

• Risk assessment and management: Companies must conduct robust risk assessments using data to pinpoint high-risk jurisdictions, transactions and third-party relationships.
• Continuous monitoring: Compliance programs should employ real-time or near-real-time monitoring systems powered by artificial intelligence (AI) and machine learning (ML) to detect anomalies and red flags. AI and ML are revolutionizing compliance programs and enabling organizations to surpass traditional, rules-based systems and embrace proactive, predictive approaches. AI and ML algorithms can analyze vast datasets to identify patterns, anomalies and trends that could indicate potential ABAC violations. For instance, ML models can be trained to detect unusual payments, suspicious travel patterns or irregularities in third-party transactions. These technologies can also automate time-consuming tasks, such as risk scoring and due diligence, freeing up compliance professionals to focus on other strategic initiatives.
• Third-party risk management: Use data analytics to assess and monitor the risk profiles of third parties throughout their life cycle.
• Whistleblower programs: Effective use of data can help identify trends in whistleblower reports and evaluate the organization’s responsiveness.

Integrating data for effective compliance

A comprehensive ABAC compliance framework relies on the integration of three critical data dimensions: internal business, internal compliance and external data. The diagram below illustrates how compliance programs can leverage data sources to strengthen their compliance programs.

Internal business/transaction data includes three key domains:

1. Procure-to-pay: data related to vendors, purchase orders, statements of work (SOW), invoices and payments.
2. Quote-to-cash: data on customers, deals, sales orders and returns.
3. Business courtesies: data on employee gifts, travel and entertainment (GTE).

These domains interconnect to reveal potential red flags, such as GTE transactions linked to vendors or payments.

Internal compliance data tools such as codes of business conduct (COBC), ABAC training, conflict-of-interest (COI) disclosures, and whistleblower hotlines provide critical oversight mechanisms and provide valuable insights into an organization’s compliance culture.

External data sources such as the Corruption Perceptions Index (CPI), U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) sanctions lists and state-owned enterprise (SOE) information enrich the risk-assessment process by offering broader context.

By integrating these three data dimensions — internal business, internal compliance and external data — organizations can identify and mitigate risks across the procure-to-pay, quote-to-cash and business courtesies domains, ensuring a robust compliance strategy. Adding a fourth data dimension — internal company fraud data — enables organizations to identify corrupt third parties, as well as collusion among employees, vendors and customers, and groups of bad actors. Organizations can use technology (transaction geo location, device intelligence, internal and external user-behavior analytics and graph databases for link analysis) to build a robust compliance framework.

Why the limited approach persists

Despite clear regulatory guidance, many organizations are resistant to adopting data-driven compliance strategies for the following reasons:

• They rely on legacy systems. Companies cling to outdated technologies that lack the analytical capabilities needed to address modern compliance challenges.
• They focus on short-term cost considerations. Organizations view investments in compliance data platforms and analytics as expenses rather than strategic assets.
• They have siloed operations. Fragmentation across departments impedes the integration of compliance data with broader business operations.

Such inertia not only heightens regulatory risks but also stifles an organization’s ability to innovate and compete effectively.

The power of data and analytics

Adopting a data-driven compliance framework offers significant advantages, including:

• Proactive risk identification: Analytics can uncover patterns and anomalies, such as unusual payments or travel, that signal potential violations.
• Enhanced monitoring: Continuous data-driven monitoring ensures compliance policies are consistently applied and effective.
• Evidence-based defense: In the event of an investigation, a robust compliance data platform provides evidence of good-faith efforts to adhere to FCPA requirements.

For example, integrating data from internal transactions, compliance activities and external sources can enable organizations to monitor risk areas such as procure-to-pay cycles, vendor onboarding, travel expenses and customer life cycle management. Advanced analytics tools can generate real-time alerts and insights, enabling swift corrective actions.

A road map for compliance organizations

To move beyond a traditional approach, compliance organizations must:

• Invest in technology: Build or enhance compliance data platforms that integrate data from multiple sources and provide advanced analytics capabilities.
• Establish data governance and quality standards: Organizations should establish clear data governance frameworks to ensure data accuracy, completeness and consistency. By maintaining high-quality data, organizations can improve the reliability and effectiveness of their compliance analytics, leading to more accurate risk assessments and informed decision-making.
• Foster a culture of compliance: Promoting ethical behavior and accountability at all organizational levels is essential for successful compliance programs.
• Collaborate cross-functionally: Data-driven compliance requires seamless collaboration between various departments within an organization. Compliance teams must work closely with IT, legal and business operations to ensure access to the necessary data, tools and resources. By fostering a collaborative environment, organizations can break down data silos, promote knowledge sharing and create a unified approach to compliance risk management.
• Embrace regulatory expectations: Align compliance efforts with the DOJ’s emphasis on data-driven practices and continuous monitoring.

A competitive advantage

Even with the new U.S. presidential administration shifting its priorities on FCPA enforcement, companies around the world shouldn’t lose sight of their anti-corruption-related initiatives. Recent DOJ guidance on FCPA enforcement likely won’t dilute the recent emphasis on data and analytics. The established practices of the DOJ and the SEC and the global focus and acceptance of anti-bribery and anti-corruption measures may continue the robust approach to FCPA enforcement in the long term, supported by advanced data analysis. The traditional approach of many compliance organizations isn’t tenable at a time of evolving regulatory demands and increasingly complex global business operations. By leveraging data analytics, companies can mitigate ABAC risks and enhance their overall compliance posture and competitive advantage. Recognizing compliance as a strategic imperative and embracing the power of data can drive meaningful change.

Rajesh Melappalayam, CFE, is a seasoned compliance and risk management expert with extensive experience in helping Fortune 100 companies navigate complex regulatory landscapes. Contact him at rmelappa@rannnconsult.com.