This post is the second of two covering the importance of compliance professionals understanding the technology that drives their businesses and produces the data they need to manage risk. The first post is here.
Companies are usually aware of the benefits of leveraging big data to detect fraudulent activity, but often struggle with how to get started.
There are several best practices that should be considered when developing a strategy regarding how to use your data in this way.
Compliance officers must understand the new standards that regulators are imposing in areas such as internal trading systems and the security of customer data, said Nick Paraskeva, principal of Reg-Room LLC.
“Compliance needs to document who has access to data and systems and how they will retrieve information requested by regulators,” he said. “They must impose a change-control process for technology revisions as well, meaning they need to oversee the process of internal governance over amendments to company systems.”
As policies and controls change even in the slightest ways, compliance must be on the front end of those adaptations. This process should be well-documented.
“Policies and procedures should identify who is responsible for making these changes, and have standards for these persons’ independence, for example, mandating that these professionals be segregated from the trading area,” Paraskeva said.
There should also be a thorough testing of these programs before implementation to ensure no unintended consequences occur for both the firm and the market, he said, referring to Knight Capital.
(On Aug. 1, 2012, the trading firm Knight Capital sent out a wave of accidental stock orders –- more than four million – that badly affected the market as a whole and resulted in a $460 million loss for the firm.)
Can technology assist compliance officers in preventing Foreign Corrupt Practices Act violations? In part, yes.
“The OFAC lists is one place to start, although these are about sanctions rather than politically exposed persons or FCPA issues,” said David Buxton, CEO of Arachnys in London.
“Media accounts are helpful, but we have to do a huge amount of cleansing work in order to make it useful, especially when we’re talking about countries that don’t use English,” he said.
“Many other governments publish blacklists and sanctions lists, such as Canada, the EU, Australia, and others, including emerging markets like Indonesia, which publishes lists of companies banned from public procurement,” Buxton said. “Multilaterals such as the World Bank contribute such lists as well.”
Technology helps compliance officers sift through the data to find threats that could become FCPA or other corruption concerns.
“Companies can send web spiders out to continuously monitor internet information — lists of parliamentarians and ministers, news reports, etc.” said Buxton.
Then the company can do the “data crunching,” or taking the raw data and cleaning it up, he said.
“It is necessary to do this for two reasons. First, there’s a lot of garbage on the internet, and you need to filter it out. Second, you want to be able to do complicated queries on the data that allow you to filter out neutral or positive mentions of the people you look for and instead narrow down whether or not they are politically exposed.”
If it sounds like a lot of work and that ample resources need to be allocated, my experts agreed that was true.
And these costly systems and all of this collected data can be subject to hacking. What is the compliance officer’s responsibility here?
“The key thing a compliance officer can do regarding malware and hacking is to understand where a cyber threat is going to have a business impact,” said Henninger.
“That’s where the regulators are starting to get involved — and that is what matters in the board room.”
Julie DiMauro is the executive editor of FCPA Blog and can be reached here.