In the fight against financial crimes, today’s organizations must focus on building compliance programs that are increasingly driven by analytics. While PwC’s Global Economic Crime and Fraud Survey 2018 indicates that 42 percent of companies have increased their spending over the past two years to combat financial crime (an increase of 2 percent from 2016) and that 44 percent intend to boost their spending over the next two years, many businesses are falling behind with their compliance analytics.
According to KPMG’s CCO (Chief Compliance Officer) Survey of 2017, which spoke with CCOs representative of the FORTUNE 100 to gather their thoughts on their organization’s compliance journey, data analytics still remains one of the least mature components of most compliance programs. The survey found that just 47 percent of those surveyed leverage data analytics and other technology processes to conduct root case and trend analysis, with 51 percent of CCOs ranking improving data quality for risk data aggregation and risk reporting as a top compliance challenge.
While most businesses have an appetite to adopt and leverage analytics in their compliance programs, there is clearly a gap in making this a reality, with most seeming uncertain of how to launch such type of program.
What are compliance analytics?
As defined by Deloitte, compliance analytics is “a growing category of information analysis, involves gathering and storing relevant data and mining it for patterns, discrepancies, and anomalies. It enables companies to better detect and head off potentially improper transactions before employees, third-parties, or even criminals steal or achieve other nefarious objectives.
Compliance analytics helps companies to proactively identify issues, take corrective action, and self-report to regulators on a timely basis.” As noted by Satish Lalchand, an analytics principal with Deloitte Transactions and Business Analytics LLP, “C-suite leaders find themselves accountable for those issues, with their positions on the line. That has led more companies to proactively detect noncompliance and fraud, rather than waiting to fall victim to it... It’s better if you find an issue, take action, and tell regulators if required, rather than them finding it,” he explains.
Who you need to get you on the right foot
To build a successful compliance analytics program, businesses must first focus on creating a transformational experience within the program, ensuring that everyone who may be affected is onboard with the program and is aware that it is coming down the pipeline.
Key personnel to include in the compliance program beyond the compliance department might include members of Financial Risk Management, Internal Audit Management, IT Risk and Compliance and Operational Risk Management departments. Depending on the organization, chief marketing officers and chief data officers may also be involved.
When looking at AML compliance programs, due to ever-increasing regulatory expectations, changing government guidance (such as that issued by the U.S. Department of Justice in early 2017 regarding fraud and compliance programs), and continued enforcement actions, it’s increasingly important to involve General Counsel to accurately interpret regulations that frequently evolve to meet rising threats. Finally, process owners also need to be involved because they are the individuals who will put the new processes in motion.
Compliance analytics workshops to identify and prioritize analytics
Once you have determined the key stakeholder that need to be involved in your compliance analytics program, the next step is to focus on the highest-areas of compliance risk. In my experience, the best way to identify areas of compliance risk, the processes needed to protect the organization, and the appropriate technology solution for your organization is to conduct compliance risk-assessment workshops. The objective of the workshop is to identify the current state program and processes.
On a side note, throughout the thousands of these workshops CaseWare Analytics’ has conducted, we consistently find common failings across the organization include lack of understanding of the data; deficient documentation on policies and procedures; and absent controls monitoring. Without these in place, it becomes more difficult to optimize processes and your compliance analytics program will not succeed.
To help determine the strength of your program, you need to ask the following questions:
- Do we have a scalable technology to analyze different types of data sets?
- What activities are actually happening within the processes, and what are the roles and the responsibilities of the people involved?
- Is your organization using structured (i.e. ERP) and unstructured (i.e. mobile apps) data, and what are the capabilities of those existing systems?
- Can the technology process large volumes of numerical data related to organizational processes and transactions?
- What, if any, tasks are being completed manually?
- What potential pain points are you running into when using the system or throughout the process?
- Are any items or information being lost, or are there inconsistencies in information between multiple disparate systems?
- What are the risks around all of the identified pain points?
- What are the strengths of your internal controls, and are there risks around those that are not monitored in an automated fashion?
Once you achieve have reviewed the strength of an organization’s processes and identified the areas of highest risk, you have the beginnings of your analytics roadmap to continuously monitor the performance of the compliance program and highlight areas of improvement.
Reviewing your process flows
Once the current state of a particular process has been determined and “AS-IS” process maps provided or created, a future state and “TO-BE” process maps can be created. At this stage, many companies become overwhelmed with current state flow diagrams that are at times difficult to interpret and align to the technology enabling the automation/optimization of a particular process.
Figure 1: Many business process flows are lengthy and overly complicated, making it difficult to determine the people and tasks involved in it.
Our approach helps streamline current processes by determining the objective for each process and breaking them down into a clear and concise process flow for each area. This more simplistic form reduces unwanted noise, helping to identify and understand the critical elements that must be completed within each process.
Figure 2: Simplified process flows make it easier to understand the key pieces of each business process.
Process automation and analytics
Once processes are created, reevaluated and simplified, organizations can begin automating tasks, using analytics to detect unusual activities and continuously monitor performance.
With the help of technology, as much as 80 to 85 percent of compliance processes across all business areas can be completed without human interaction. Key elements of a successful automation project include:
- Ability to import data from multiple sources, whether it be worldwide, centralized, or from disparate systems, so organizations can have a true picture of what is really happening within an organization.
- Capacity to detect suspicious activities that may be happening within the system through the use of rules-based analytics, anomaly detection, network linking and predictive analytics.
- Dashboards to provide a visual and holistic view of each particular entity, whether it be a customer, a vendor, supplier or distributor. Items in a dashboard may include a risk profile and risk score which are based on screening results, transactions and relationships.
- Clear, concise and consistent remediation guidelines to help employees know what their actions should be for any given situation.
- Key performance indicators (KPIs) that provide an early indication of increased risk exposure in specific areas and provide the information that is needed to enable compliance leaders to make smarter decisions for effectively managing risks.
Compliance analytics and continuous improvement
A compliance analytics program is most effective when it is continuously used and monitored. The method of choice at CaseWare Analytics for continuous improvement and deployment of analytics is the industry-standard CRISP-DM (cross-industry standard process for data mining), as depicted in the following image:
This is a seven-phase approach that helps businesses begin to break down their primary business understanding, then gain a clear understanding of the data and how it ties to its controls, elements, systems and processes. Once this is understood, you can begin to prepare the data accordingly based on your business objectives or questions to ensure you are working toward the appropriate results.
After data preparation, models and rules for the analytics can be created. As you start to have a particular output and evaluate these results, you can test, refine and continue to evaluate and refine the model with your organization’s SMEs, after which the technology is now ready for deployment.
This is not the end, however: deployment requires continuous sustainability. Your business must continue to refresh the information, and conduct recalibration sessions every three to four months. This requires organizations to go back to validate whether the analytics are still functioning to meet the needs or if they need to evolve. This piece is critical and is a job that is never truly complete.
Continuing into the future
Anyone working in compliance today can tell you how vital it is to have an analytics program to provide deep and relevant insights, improve efficiencies and reduce manual and repetitive tasks; however, launching and sustaining such program can be easier said than done.
To build a robust, sustainable compliance analytics program, you must take the first steps to get the right people involved, review their processes for effectiveness and simplify overly complicated procedures. Once you have done this, you can then launch an analytics program and eventually grow it - evolving from standard, rules-based analytics to identify control exceptions to advanced analytics such as anomaly detection, network linking and predictive analytics for more sophisticated suspicious behavior monitoring and prevention.
Ultimately, no matter the type of compliance program, you must always be sure to avoid the temptation to simply repair issues with a quick fix. The most effective analytics help identify the root cause of the issue. With this information in hand, policies, procedures and controls can be evolved so that issues don’t reoccur and opportunities for cost savings can be found.