Compliance analytics can help you harness the power of data

Once unearthed, that data—the holy grail of compliance—must be deciphered if it’s to unlock any true value. That, in essence, is compliance analytics: It’s the process of gathering all the data the company holds (and even data that it does not hold) and analyzing it using statistical algorithms to mine for patterns and anomalies to uncover things like fraud, policy violations, and other misconduct.

“Compliance analytics is about using data to derive insights from a compliance perspective,” says Seth Rosensweig, a partner at PwC and head of its digital risk, regulatory, and compliance practice.

Depending on where a company is along the analytics maturity spectrum, Rosensweig explains, compliance analytics can be used to derive insights for a variety of purposes, including:

• Descriptive analytics: What happened in a given situation?
• Diagnostic analytics: Why did it happen?
• Predictive analytics: What could happen?
• Prescriptive analytics: What is the best course of action for a given situation? What can the business do to improve?

Unlike a risk assessment, which intrinsically is backward-thinking, data analytics effectively enables compliance, risk, and audit professionals to proactively detect and continuously monitor potential issues in real time. Without the benefit of today’s advanced analytics tools, the visibility that compliance, risk, and audit functions has into the company’s operations is limited by whatever sample, periodic risk-based testing or risk-based audit activities the company conducts manually.

“Dealing with a huge amount of data traditionally was a very laborious activity for compliance functions,” says Shaheen Dil, managing director and global solution leader for data management and advanced analytics at Protiviti.

Manually sifting through data also leaves the door open for misconduct or a policy violation to go undetected—a very real concern for a global financial institution, for example, that typically has dozens of lines of business, has millions of customers, and manages billions of records. Merely taking a risk-based sample of data doesn’t satisfy regulators, Dil says, because it raises the question, “How do you know you’ve picked a comprehensive data sample? How do you know this sample covers all your potential risks?”

Dil cites as an example her former experience as an executive at PNC Financial Services Group, where “we spent half our time explaining to regulators—in those days, before advanced analytics tools were used—why our risk-adjusted sampling methods were, in fact, accurate and covered most of our risks,” she says.

That’s all changed with the use of advanced analytics tools, in which machines can now sift through all data, so that compliance, risk, and audit professionals are no longer limited to analyzing structured data alone—such as spreadsheets and database records. “Organizations historically didn’t have the tools and techniques, and even the know-how, to mine, understand, and do something with unstructured data,” Rosensweig says.

Advanced analytics, like artificial intelligence (AI) and machine learning technologies, are opening compliance functions up to new and exciting opportunities. Unstructured data—social media, text messages, e-mail, contracts, and more—can now be consolidated, along with structured data and analyzed together to identify patterns and anomalies that may go undetected by the human eye.

Getting started

Companies interested in the idea of compliance analytics for testing and monitoring but that don’t know where to begin should consider the following as stepping stones:

Don’t try to boil the data ocean. Compliance and audit functions should carefully think through how to incorporate and leverage the use of analytics into their end-to-end business processes, says Mike Maali, U.S. internal audit, compliance and risk management solutions leader at PwC. Often, companies that want to delve into compliance analytics begin identifying individual use case opportunities for deploying analytics and start mining the data without having a clear roadmap on how to leverage it more holistically, he says.

Begin by solving for a clear, well-defined risk or goal. In the banking industry, for example, AI and machine learning can help banks more accurately and quickly verify the identity of clients through automated know-your-customer-procedures. Credit Suisse shared how it’s using a new technology platform that has helped identify and verify its international clients 80 percent faster than the year prior.

Credit Suisse is also able to assess “politically exposed persons” (PEPs) approximately 60 percent faster, at approximately 40 percent lower costs. “Over the past two years we have gone from a human-led approach to compliance, where we were carrying out periodic checks, to a technology-led approach in which we are continuously monitoring activities across the bank to enable earlier prevention and detection,” Lara Warner, head of the compliance and regulatory affairs unit at Credit Suisse, said in a blog post.

To cite another example in the financial services industry, data analytics can be used to monitor the activity of bank accounts opened by employees. Employees who have hit their sales targets by opening an excessive amount of customer accounts with no activity can be flagged for review.

In the pharmaceutical industry, where opioid use is a big compliance risk right now, data analytics can be used to uncover patterns of potential fraud or abuse. Such red flags in the data may include, for example, the number of doctors visited; the geography and patient population; and the frequency of drugs prescribed.

And in the retail industry, transactions involving what the company considers “high-risk” distributors or resellers can be analyzed to check against whether a third party in the supply chain is doing business with unauthorized or unapproved suppliers in a high-risk market.

These are just a few examples of the ways targeted data analytics for compliance purposes can be used across a variety of industries.

Establish data governance controls around data usage. Proper data governance is about enforcing through policies and procedures the management of data assets and the performance of data functions. Data governance should identify who is responsible for what data, who has access to the data, and what type of access is allowed.

A data dictionary is another important component of the data governance process. A data dictionary describes how to store and manage data and, thus, plays a central role in maintaining the accuracy, reliability, and integrity of the data, which is especially important when reporting to regulators.

Get a grip on data lineage. Data lineage is the lifecycle of data. It’s the art of tracking the company’s internal and external data, including its origin, where it moves, and how the data changes as it moves across servers and from module to module—from accounts payable to the general ledger, for example. So long as the business has a firm grasp on its data governance and data lineage, it can start to use the data in more advanced ways—such as getting into predictive risk modeling.

Put together a team of experts. Compliance analytics is intended to enhance—not replace—human intelligence. Those in the business must still translate what the data means relative to the risks that the business faces and how the data can be used to achieve future business goals.

Data stewards are a must. These individuals do not necessarily have the title of “data steward,” but they are the individuals in each business unit who know what data is available, where it’s located, and how it’s being stored. “You are starting to see a move toward the creation of these data teams,” says Tom Nicolosi, a principal in the Deloitte Risk and Financial Advisory practice.

On that data team also needs to be heads from compliance, risk, internal audit, and IT who can interpret the results. “You need to make sure that you have those appropriate pieces represented at the table when trying to design what it is that you want to do, and how you want to do it,” PwC’s Maali says.

Regulators and analytics

Increased interest in the adoption of compliance analytics by companies comes at a time when government agencies are starting to pay a lot more attention to it as well. “Regulators, in general, have become extremely fascinated and extremely interested in this whole set of processes around data analytics,” Nicolosi says.

Certain regulatory bodies are even deploying data analytics in performing their examinations. The Financial Industry Regulatory Authority (FINRA), for example, uses advanced analytics to monitor trading in U.S. equities markets. “To do our job of protecting investors and ensuring market integrity, it’s important that we are on top of each day’s activity, applying our automated surveillance patterns to help our analysts look for potentially suspicious activity—instead of running to catch up,” wrote Steve Randich, executive vice president and chief information officer at FINRA.

In a second example, the Securities and Exchange Commission in July used its data analytics capabilities to uncover insider trading by an executive, resulting in an enforcement action. “It certainly would be leading practice for organizations to make sure they are doing the same sorts of things, if not more, than regulatory agencies are doing today,” Nicolosi says.