Where content and thought leaders unite to bring you original and new perspectives on emerging trends and ideas from leaders in the business community.
Artificial intelligence (AI) can serve as a powerful tool in helping companies achieve more efficient business operations and drive growth. At the same time, it also poses myriad ethical, legal and compliance risks if not developed and governed responsibly.
Nearly every sector, company, and business function can benefit from AI’s use cases. For legal and compliance teams, for example, imagine the amount of time and resources saved by having a machine quickly scour through and analyze oceans of data—legal and regulatory documents, transactional data, expense reports, social media communications, and more.
Through leveraging AI, in-house counsel and chief compliance officers can more quickly and efficiently spot anomalies or trends in data that may point to fraud or other misconduct—even identifying issues that might have escaped human analysis. In this way, AI theoretically has the potential to mitigate, rather than contribute to, legal and compliance regulatory risk.
The challenge, of course, is that AI is evolving faster than the speed of the governance and regulatory controls needed to keep its ethical and legal usage in check. This is concerning, because information produced with algorithms is far from perfect—potentially fraught with inaccuracies, vulnerable to perpetuating bias and discrimination, consumer data privacy rights, or other harms.
This is where ethical AI, or responsible AI, plays a critical role. While there is really no concrete definition around these terms, IBM succinctly explains AI ethics in this way: “Ethics is a set of moral principles which help us discern between right and wrong. AI ethics is a set of guidelines that advise on the design and outcomes of artificial intelligence.”
Regulators increasingly are taking notice of how companies use AI as well, especially as it applies to perpetuating unlawful discrimination and bias in data. Recently, four federal agencies—the Department of Justice (DoJ), the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Equal Employment Opportunity Commission (EEOC)—issued a joint statement warning the private and public sector that they will vigorously enforce their respective laws and regulations to promote responsible AI innovation.
This joint statement follows one year after the EEOC and DoJ each released guidance documents describing how AI used to make employment decisions can perpetuate disability discrimination in violation of the American with Disabilities Act (ADA). The EEOC guidance helpfully provided recommended measures for employers on how to ensure compliance with the ADA when using algorithmic decision-making tools.
For legal and compliance teams, aligning responsible AI with existing laws and regulations is a complex and subjective exercise. Marian Croak, vice president of Responsible AI and Human Centered Technologies at Google, explained the challenges in this way: “Most institutions have only developed principles—and they’re very high-level, abstract principles—in the last five years. There’s a lot of dissension, a lot of conflict in terms of trying to standardize on normative definitions of these principles. Whose definition of fairness, or safety, are we going to use?” LONG-ARROW-RIGHT
Artificial Intelligence (AI) can be a powerful tool to help data leaders make more informed decisions that improve business outcomes and drive growth, but if not designed correctly it can quickly become a bane for legal and compliance teams.
While ethical AI best practices continue to evolve, below are some best-practice AI principles to consider, gathered from the collective insights of leading companies in the AI space.
Appoint a dedicated AI leader. Many companies today are opting to hire a dedicated AI ethics officer. While the title and responsibilities of this role vary greatly company to company, the idea is to have someone lead the company’s responsible AI journey. Microsoft’s Chief Responsible AI Officer Natasha Crampton, for example, leads the company’s Office of Responsible AI, tasked with “building and coordinating the governance structure for the company,” Crampton wrote in a blog post.
Create a senior-level, cross-functional AI working group. In addition to having a dedicated AI ethicist, many leading companies are creating AI working groups with responsibility for driving AI efforts across the company. Ideally, this working group is championed by senior leaders and consists of those who collectively bring to the table both technical skillsets and business knowledge.
Microsoft’s Responsible AI Council is one such exemplary model. Co-chaired by Microsoft President Brad Smith and Chief Technology Officer Kevin Scott, the Responsible AI Council “brings together representatives of our core research, policy, and engineering teams dedicated to responsible AI, including the Aether committee and its Office of Responsible AI, as well as senior business partners who are accountable for implementation,” Crampton wrote.
Establish a set of guiding AI principles. Many leading companies have in place their own set of responsible AI principles from which other companies could draw inspiration. A few good examples include Microsoft’s “Responsible AI Standard,” IBM’s “Principles for Trust and Transparency,” Salesforce’s “Trusted AI” principles, and Google’s AI principles.
Promote inclusivity in AI practices. Leading companies recognize the importance and value of ensuring AI practices are intentionally inclusive and diverse by respecting and weighing how AI impacts society at large. A helpful resource in this respect is the Partnership on AI, which recently established the “Global Task Force for Inclusive AI,” a body of leading practitioners and researchers across academia, civil society, industry, and policy “focused on establishing a framework for ethical and inclusive public engagement practices in the field of AI.”
Embed responsible AI into the fabric of the company. In order to promote inclusivity in AI practices outwardly, it’s important to promote inclusivity in AI practices internally by partnering with multiple stakeholder groups. For example, Salesforce’s Ethical Use Advisory Council “consists of a diverse group of frontline and executive employees, academics, industry experts, and society leaders.” According to Salesforce, the advisory counsel “ensures that we address the impacts of modern technology collaboratively, consider a wide set of perspectives, and mitigate risk while staying aligned to our commitments.”
Microsoft operationalizes AI through a centralized effort, led by its Office of Responsible AI, Aether committee, and its Responsible AI Strategy in Engineering. “We learned that we needed to create a governance model that was inclusive and encouraged engineers, researchers, and policy practitioners to work shoulder-to-shoulder to uphold our AI principles,” Crampton said. “A single team or a single discipline tasked with responsible or ethical AI was not going to meet our objectives.”
Develop AI for the benefit of society. “What I believe very, very strongly is that any technology that we’re designing should have a positive impact on society,” Croak said. Google, for example, has publicly committed not to design or deploy AI technologies that cause or are likely to cause overall harm; directly facilitate injury to people; gather or use information for surveillance violating internationally accepted norms; or whose purpose contravenes widely accepted principles of international law and human rights.
Design AI systems to be transparent and explainable. It is understandably difficult to trust the results of AI models when transparency is lacking. Designing AI systems to be transparent and explainable helps legal and compliance teams, as well as the business, both gain and foster trust that their AI models are accurate and reliable. IBM has publicly advocated that technology companies “need to be clear about who trains their AI systems, what data was used in that training and, most importantly, what went into their algorithms’ recommendations.”
Continuously monitor and test AI models. Machines are continuously learning based on everchanging datasets. Thus, it’s important to continuously monitor and test the data—for example, regularly testing and validating that automated systems used in making employment decisions are not incorporating discrimination or bias into algorithms.
Collaborate with like-minded peers on designing and governing responsible AI models. There are many responsible AI frameworks and groups helping to advance the field of ethical AI for which to turn for guidance. A few examples include the World Economic Forum’s Responsible Use of Technology; the National Institute of Standards and Technology’s “Artificial Intelligence Risk Management Framework; and the U.S. Chamber of Commerce Commission on Artificial Intelligence Competitiveness, Inclusion, and Innovation.
ACI will be holding its “AI Law, Ethics and Compliance” national conference on Oct. 31–Nov. 1 in Washington, DC. For more information, and to register, please visit: www.AmericanConference.com/AI-Law.
“Most institutions have only developed principles— and they’re very high-level, abstract principles— in the last five years. There’s a lot of dissension, a lot of conflict in terms of trying to standardize on normative definitions of these principles.”
The Department of Justice’s newly launched compensation and clawback pilot program is certain to bring with it numerous implementation hurdles and jurisdictional challenges, but it also incentivizes companies to have in place a bulletproof clawback policy. Overcoming the legal and compliance hurdles can mean the difference between a policy that is enforceable, and one that is not.
The Department of Justice’s newly launched compensation and clawback pilot program is certain to bring with it numerous implementation hurdles and jurisdictional challenges, but it also incentivizes companies to have in place a bulletproof clawback policy. Overcoming the legal and compliance hurdles can mean the difference between a policy that is enforceable, and one that is not.
“Every corporate resolution involving the Criminal Division will now include a requirement that the resolving company develop compliancepromoting criteria within its compensation and bonus system,” Deputy Attorney General Lisa Monaco said in remarks formally announcing the pilot program in early March.
The pilot program aims to encourage ethical behavior through the use of clawbacks. “Companies should ensure that executives and employees are personally invested in promoting compliance—and nothing grabs attention or demands personal investment like having skin in the game, through direct and tangible financial incentives,” Monaco said.
While well-intentioned, the pilot program is potentially fraught with legal and compliance challenges for any company that finds itself in settlement talks with the Criminal Division. Josh Alloy, labor and employment counsel at Arnold Porter, said that part of the challenge for companies is the pilot program is a policy, not a law, which could make enforcing a clawback policy more difficult for companies.
One key factor for how easily enforceable a clawback policy will be will depend on whether the clawback concerns a former employee or a current employee. A second related factor will depend on whether the company is trying to claw back compensation already paid—like salary and annual bonuses—or vested or unvested shares that get paid out at some future date. LONG-ARROW-RIGHT
“Companies should ensure that executives and employees are personally invested in promoting compliance—and nothing grabs attention or demands personal investment like having skin in the game, through direct and tangible financial incentives.”
“It’s always easier to try contest paying compensation out than it is trying to get compensation back from a departed executive,” said Peter Spivack, a partner in the Litigation, Arbitration, and Employment practice at Hogan Lovells.
“With respect to current employees, the employer has a lot more leverage,” Alloy said. For example, in addition to the prospect of continued employment, a company can reduce compensation, offset against future bonuses, or effectuate forfeitures of incentive compensation or equity paid.
Within the United States, numerous compensation laws on both a federal and state level also create legal and compliance hurdles for clawing back compensation. At the federal level, Section 954 of the Dodd-Frank Act directs stock exchanges to establish listing standards requiring publicly listed companies to develop and implement a clawback policy providing for the recovery of, in the event of a financial restatement, erroneously awarded incentivebased compensation received by current or former executive officers. In October 2022, the Securities and Exchange Commission (SEC) adopted final implementation rules.
The SEC’s rule is not as broad as the DoJ’s pilot program, however, as it applies only to publicly traded companies and only in the event of a financial restatement, in which an executive officer received incentive compensation for a percentage of profits gained through fraudulent means.
U.S. state wage-and-hour laws must also be considered in structuring or revising a clawback policy. Spivack said a big question depends on how each state defines “wages,” because employee wages cannot legally be clawed back. California, Massachusetts, New Jersey, and New York are all examples of states with strict employee wage protections in place. Where legal uncertainty could arise is when an employer offers a bonus plan or option grants, for example, that are not clearly discretionary on the part of the employer, he said.
Multinational companies with operations all over the world that find themselves engaging in settlement talks with the Criminal Division could face even more jurisdictional challenges. This is because many countries outside the United States—such as France, Germany, Brazil, and China—have employment laws that restrict or altogether prohibit compensation clawbacks.
“The biggest challenge is complying with the various, different national laws that would apply to a multinational company,” Spivack said. A multinational company might have an executive in a non-U.S. country who may be treated differently than a similarly situated executive in the United States from a compensation clawback standpoint, because of what the law requires in that particular jurisdiction, he noted.
“If you’re focusing on deferred compensation, if you’re focusing on compensation contingent on future financial performance, and if you have contract clauses that allow for deferred compensation to be rescinded for bad or unlawful or contrary to policy behavior, those are the types of provisions that need to be built in, and apply across the world,” Spivack added.
In public remarks, Assistant Attorney General Kenneth Polite acknowledged many of these challenges. “We recognize the difficulties companies may face when attempting to claw back compensation,” Polite said.
That is why companies that pursue clawbacks from corporate wrongdoers in good faith, even if unsuccessfully, will still be eligible to receive a fine reduction of “up to 25 percent of the amount of compensation that has been sought,” Polite explained. The company may also keep the clawback money it recouped.
The pilot program will be in effect for three years to allow the DoJ time to assess its effectiveness. Because the program is still in its early stages, the DoJ hasn’t provided much in the way of guidance yet.
“I think there is a bit of a waiting game right now to see if the DoJ will provide more guidance as to what exactly it might be looking for,” Alloy said. “Some companies might not feel it is necessary or prudent at this time to go beyond what DoddFrank or the Sarbanes-Oxley Act requires.”
Nonetheless, it is in a company’s best interest to think holistically and proactively about the structure and scope of a written clawback policy, especially one pertaining to both U.S. and nonU.S. jurisdictions. “It’s important to have a clearly drafted, well-thought out, written policy, with signed acknowledgement from the employee agreeing to it,” Alloy said.
Alloy advised carefully considering who the policy is going to cover. “Just officers? All senior employees above a certain level? All supervisory employees? All sales employees?” Another potential provision of an effective clawback policy is to tie misconduct to sales commissions.
Finding the right person or group within the company to oversee and administer the policy is also important. “With larger, publicly traded companies, we would typically advise that it be administered and overseen by a committee of the board with advice of legal counsel,” Alloy said.
“If a company has to try to enforce this provision—whether a clawback or forfeiture of equity or incentive compensation—it is probably going to lead to litigation if the amount is significant enough,” Alloy noted. Thus, consider whether to build mandatory arbitration into a clawback or forfeiture policy, and whether to include a provision requiring payment of legal fees and expenses if the company succeeds in its case, which may deter some employees from challenging a forfeiture or clawback decision, he said.
Spivack recommended having contract clauses that allow all, or part, of deferred compensation to be rescinded in the event of misconduct.
There are also non-contractual remedies available to companies. In some states, courts have recognized the “faithless servant doctrine,” which states that companies can recover compensation paid to employees who engaged in serious acts of disloyalty that caused significant harm to the company, Alloy said.
The message from the DoJ is, “‘We want you to try. We want you to do what you can. We certainly understand there is a probability that you won’t be able to achieve this,’” Spivack said. What matters, what the DoJ is focused on, is the overall goodfaith effort on the part of companies.
This topic and more will be covered at ACI’s 40th International Conference On the FCPA this November In Washington, DC November 29–30, 2023. For more information, and to register, please visit: www.FCPAconference.com.
Juggling conversations with multiple enforcement agencies simultaneously in the course of a cross-border anticorruption investigation can be a difficult and daunting task for legal and compliance teams. Getting it right can mean the difference between reaching a fair outcome or causing more legal trouble for the company in the end.
Juggling conversations with multiple enforcement agencies simultaneously in the course of a cross-border anticorruption investigation can be a difficult and daunting task for legal and compliance teams. Getting it right can mean the difference between reaching a fair outcome or causing more legal trouble for the company in the end.
“Companies can assume that the United States, the United Kingdom, and other notable jurisdictions—France, Germany, the Netherlands, for example—will all be working in concert together,” said Barry vitou, head of the global investigations and enforcement practice at Holman Fenwick Willan.
That increased coordination between agencies ups the ante for companies under investigation, because it “creates a greater risk of wrongdoing being uncovered, and also, perhaps, creates a greater degree of complexity when seeking to resolve the issue,” vitou noted.
While the relationship between the U.S. Department of Justice and the U.K. Serious Fraud Office (SFO), in particular, certainly has seen ups and downs, “It’s definitely in an up period,” said Daniel Kahn, former head of the DoJ’s Fraud Section and FCPA Unit, and now a partner at Davis Polk.
Camilla de Silva, former co-head of Fraud and Corruption at the SFO, said during her time at the agency, from 2014 to 2020, “there was definitely an ever-increasing development of coordination.” That coordination was twofold: operationally and intellectually, from an information-sharing standpoint, she said.
The Rolls Royce case, in particular, was a real turning point, because it demonstrated how the two agencies “could work together on a matter and get a good result,” Kahn said. “We have continued to see strong coordination and cooperation in recent cases as well.”
As SFO Director Lisa Osofsky highlighted in public remarks, “our record-breaking resolutions with Glencore and Airbus would not have been possible if we had not invested in the relationships that enabled us to have frank discussions and identify effective ways of working side by side with our international partners.”
In Glencore, the SFO levied the biggest corporate sentence in U.K. history, while the €3.6 billion (US$4 billion) global coordinated resolution reached with Airbus in January 2020 resulted in the SFO’s largest penalty under a deferred prosecution agreement—a €991 million (US$1.1 billion) fine. LONG-ARROW-RIGHT
In another collaborative move, the Fraud Section has, since 2017, detailed a U.S. prosecutor to the SFO and U.K. Financial Conduct Authority (FCA). Deployed from and overseen by the Corporate Enforcement, Compliance, and Policy (CECP) Unit, this individual participates in FCA and SFO investigations, and advises law enforcement personnel on effective interagency coordination, “and otherwise serves as a liaison between the Fraud Section and some of its most critical overseas law enforcement and regulatory partners,” according to the Fraud Section’s 2022 “Year in Review” report.
Kahn says there are three stages of an investigation, each of which should be handled differently. Those three stages are the initiation of an investigation, the investigation/cooperation phase, and the resolution phase. Each of those stages is discussed in more detail below.
During the initiation of an investigation, if the company has made a decision to voluntarily selfdisclose a matter, and the issue touches upon both the United States and the United Kingdom, “you most likely will want to disclose to both agencies to get the benefit of self-disclosures from both agencies,” Kahn said.
A company should be prepared to field “factspecific questions when the investigation first kicks off around the underlying facts or issues,” vitou said.
“In the investigation stage, the most important thing is to keep open lines of communication and to talk through any issues or any differences between each agency’s demands and requests,” Kahn said. If the DoJ is demanding something that is going to impact what the SFO wants or is doing, “make sure you are communicating that to both agencies, and that you are having good enough dialogue to flag things, so that the SFO and DoJ can be talking to each other,” he said.
Although enforcement agencies are increasingly coordinating with one another, and some degree of investigative overlap will occur, companies should still anticipate having separate conversations with authorities. “The SFO, for example, is not going to rubberstamp everything the DoJ asks. They will want to ask their own questions, as will the French and Dutch authorities, for example,” vitou said. Because each enforcement authority’s enforcement approach and legal systems differ, “you’d want to have legal counsel on board that are experienced in the jurisdictions that you are dealing with,” de Silva said.
It’s also critically important to be upfront and transparent with all the agencies. “If Agency A receives slightly different information than Agency B, that’s not going to fly. It’s likely to backfire,” vitou said. “You want to be transparent with everybody.”
Having “open and frank conversation with both agencies” and making sure to flag all relevant issues, Kahn said, also will work in the company’s favor in matters where privacy issues or employment law issues arise, and the company may not be able to produce certain records because they violate the EU General Data Protection Regulation (GDPR), for example.
Looking ahead, “we’re seeing more jurisdictions looking to resolve issues within their own jurisdiction, as well as pushing forward with their own anticorruption legislation,” de Silva said. In some ways, that’s beneficial to companies facing investigations, because it’s less of a drain on corporate resources when you can respond to multiple agencies at the same time, she said.
At some point during the discussion enforcement authorities, questions will be posed about the company’s compliance program, and so “you would expect the general counsel or the head of legal to be involved,” and, often, the chief compliance officer as well, vitou said. In some companies, that individual may hold this dual role.
Lastly, during the resolution stage, it’s important to ensure everyone is on the same page and progressing at the same pace in order to get to one coordinated resolution. “We’ve seen that in the public cases that have resolved where credit was given, so there is precedent for that,” Kahn said.
At the same time, however, jurisdictions new to the anticorruption regulatory or enforcement landscape present unknowns for companies as far as their expectations. “If you can get to a place where you have a good working relationship with the other side, even if it is adversarial,” de Silva said, “that is better than being in a position where there is lack of trust.”
ACI will be holding its Anti-Corruption and CSR France, October 9–10, in Paris. For more information, and to register please visit www.C5-Online.com/AC-France
“If Agency A receives slightly different information than Agency B, that’s not going to fly. It’s likely to backfire, you want to be transparent with everybody.”
“In the investigation stage, the most important thing is to keep open lines of communication and to talk through any issues or any differences between each agency’s demands and requests.”
In recent months, U.S. regulators and enforcement authorities alike have signaled through enforcement actions and pronouncements that they are paying closer attention to companies’ oversight practices regarding employees’ permitted use of third-party messaging applications, including ephemeral messaging.
Ephemeral messaging has increasingly become a bane to legal and compliance teams, because by the very nature of its functionality, chat messages expire after a short period of time or can be selfdestructed immediately by the individual users, after which time such communications are deleted permanently.
“Clearly, it’s very problematic if companies are allowing employees to use them for business communications, because then you don’t have any record retained either for litigation holds or any type of regulatory oversight,” said April Goff, a partner at Perkins Coie.
Despite the challenges posed by ephemeral messaging, the U.S. Securities and Exchange Commission and the Department of Justice have warned companies they must make efforts to preserve such communications, nonetheless.
In public remarks, Assistant Attorney General Kenneth Polite said companies should be prepared to demonstrate to prosecutors their “preservation and deletion settings” regarding business-related electronic data and communications, as well as its policies around any bring-your-own-device (BYOD) program the company might have in place.
“If people are using these tools to communicate on behalf of your business, and you don’t have the ability to preserve or produce a historical record of what was discussed, you’re limiting your defense if something goes wrong,” said Robert Cruz, vice president of information governance at Smarsh.
Indeed, Polite warned that prosecutors will not accept at face value a company’s failure to produce such communications. “A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability. So, when crisis hits, let this be top of mind,” he said. LONG-ARROW-RIGHT
As U.S. regulators and enforcement authorities alike become increasingly focused on corporate oversight practices of their employees' use of third-party messaging applications, including ephemeral messaging, companies should ensure their data preservation controls align with their recordkeeping obligations. Data security experts offer some tips inside.
“If people are using these tools to communicate on behalf of your business, and you don’t have the ability to preserve or produce a historical record of what was discussed, you’re limiting your defense if something goes wrong.”
Given the increasing regulatory attention being placed on oversight practices of ephemeral messaging for business purposes, those in heavily regulated industries “should first consider their information-governance policies and protocols with regards to data retention and deletion,” said Al Park, senior managing director at FTI Technology.
Goff similarly stressed that an acceptable use policy is a company’s first level of defense, and the primary way of managing the challenges posed by ephemeral messaging. However, just having an ephemeral messaging policy on its own is not enough, she said. “It has to be practical, enforced, and have some teeth behind it.”
Polite stressed this point further in his remarks: “Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”
BYOD policies should be complemented by robust data preservation controls—for example, “data archiving and storage settings that cannot be altered by the employee or the end user,” Park said. “If organizations have implemented centrally administrated messaging applications such as Slack or Microsoft Teams, those platforms offer built-in governance and compliance controls that can be aligned to specific data retention parameters.”
Furthermore, Park added, companies should make clear through a BYOD program that they have the right “to enforce the use of companywide messaging applications over which IT and legal have administrative control for the purposes of communications monitoring and data preservation.”
The following are some additional measures to consider:
Choose the right tool. From an investigative and e-discovery standpoint, capturing and storing data is easier said than done, as each of these various applications provide a different set of information-sharing features and different ways for users to interact with one another, creating oceans of unstructured data—social media posts, documents, videos, audio files, and more.
“You need a system that enables the business to preserve all the unique metadata elements,” Cruz added. “Other third-party messaging applications—WhatsApp, WeChat, Telegram, Signal, and Discord, for example—all include a unique set of features, methods of access, and a variety of technologies to encrypt data.”
For these types of technologies, there are thirdparty tools that enable businesses to capture communications and data for preservation purposes. “Many ephemeral messaging platforms allow users to disable the auto-delete function within the application,” Park said. This, too, can be enforced by a BYOD policy.
Similarly, when messages are encrypted, a BYOD policy can require that employees provide the organization with their encryption keys, “so those messages can be recovered and accessed if the need arises for compliance or legal purposes,” Park added.
But, again, each organization must first decide what data it needs to capture in order to meet its regulatory or compliance obligations, after which time it can then figure out what technology has the capabilities to “talk to” the company’s API software in order to provide a complete and accurate record of business communications, Cruz said. “Question number one is, ‘Are you comfortable as a business that if you let your employees use a [third-party messaging application] that you have the appropriate technologies to know how it is being used?” he said. LONG-ARROW-RIGHT
Make sense of the data. Ultimately, during an internal investigation or e-discovery, it’s critical to understand the context of the conversation. The key question there is, “What activity took place on that platform?” Cruz said.
“It’s important to segment and render these messages in a meaningful way, so they can be reviewed in context,” said Tim Anderson, senior managing director at FTI Technology. “Our teams use contextual and density analysis to group related and relevant chat messages together into a single view so that they can be understood in the broader context of a conversation, but not muddled with irrelevant noise. Similarly, we are working to standardize the rendering of emojis and reactions across platforms so they can be searched and analyzed for additional context and nuance in conversations of interest.”
A cross-platform analysis can also be conducted “to maximize efficiency in gaining insight from the available data and connect the dots between messages and users that have hopped across multiple channels,” Anderson added. Granular historical user activity can also be leveraged “to understand when participants joined, left, posted or reacted to messages, all of which can be used to enrich the known facts of a matter.”
Considering enlisting a digital forensic expert. Particularly during a corruption investigation, the company may want to enlist the help of a digital forensics expert with the expertise to know where to look for pertinent data, what to look for, and how to retrieve it. “There are some digital forensics methods that make it possible to recover deleted data in some instances,” Anderson said.
“In other cases, digital forensics experts can, at times, find evidence of deleted messages, use of prohibited applications or channel-hopping, which helps tell a story about a user’s activity, or offer new clues to follow, even when data has been deleted,” Anderson added.
If a company chooses to work with a digital forensic expert, however, Goff stressed the importance of having a non-disclosure agreement or contractual procedures in place as it relates to the disclosure of any sensitive or confidential information.
The DoJ’s newly revised “Evaluation of Corporate Compliance Programs” (ECCP), issued in March 2023, provides further guidance for companies on how prosecutors will evaluate a BYOD program. The ECCP directs prosecutors to consider the following specific questions—which means companies should be thinking about such questions too:
• What relevant code of conduct, privacy, security, and employment laws or policies govern the organization’s ability to ensure security or monitor/access business-related communications?
• What are the company’s BYOD policies governing preservation of and access to corporate data and communications stored on personal devices, including data contained within messaging platforms, and what is the rationale behind those policies?
• Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
• How does the company apply and enforce data retention and business conduct policies concerning personal devices and messaging applications?
• If employees are required by policy to transfer messages, data, and other communication from their personal devices or messaging applications onto the company’s recordkeeping system to preserve and retain them, how is it enforced?
Goff advised working with the IT or procurement team before permitting the use of any messaging application. A BYOD program also needs a crossfunctional team behind it—human resources, legal, compliance, and technology need to work hand-in-hand, she said.
“We encourage clients to limit the type of applications until they are fully vetted to ensure they have the capability to work with the company’s API or to retain information as needed for document retention litigation purposes or with respect to regulatory oversight,” Goff added. “And, again, it still needs to be consistent with the company’s acceptable use policy.”
ACI will be holding its “13th West Coast Forum on FCPA Enforcement and Compliance” conference June 14–15, in San Francisco For more information, please visit: www. AmericanConference.com/FCPA-West-Coast
U.S. enforcement authorities have made it clear that multinational companies today should have in place a sound data analytics compliance program to proactively mitigate risks. Compliance departments should heed the warning.
For more than two years now, heads of the U.S. Department of Justice have maintained a steady drumbeat that they expect companies today to have in place a sound data analytics compliance program to proactively mitigate risks. Compliance departments should heed the warnings.
An especially significant development portending the DoJ’s intensified focus on data-driven compliance programs was the onboarding in September 2022 of Matt Galvin into the Fraud Section’s recently restructured Corporate Enforcement, Compliance and Policy (CECP) Unit.
As former head of compliance at global brewing company Anheuser-Busch InBev (AB InBev), Galvin is a well-known compliance expert for his innovative use of artificial intelligence and machinelearning in proactively mitigating compliance risk. In 2017, Galvin spearheaded the launch of AB InBev’s advanced data analytics platform, BrewRIGHT, which culls troves of compliance and transactional data from numerous accounting and compliance systems across the company where it is harmonized into a centralized repository.
The platform runs algorithms to organize and analyze the data under such buckets as anticorruption and fraud risk, vendor management, anti-money laundering, economic sanctions, conflicts of interest, and even free beer giveaways. Specially built dashboards enable AB InBev’s compliance teams to proactively identify and monitor any algorithms flagged as high-risk and root out risks across the more than 50 markets where AB InBev operates. Simply put, the hiring of Galvin as a data analytics advisor for the Fraud Section is a strategic move.
Another significant hire at the DoJ was the appointment of Glenn Leon as the Fraud Section’s new chief, who joined the agency after serving most recently as chief ethics and compliance officer at Hewlett Packard. The onboarding of more compliance professionals means prosecutors are more adept than ever at assessing companies’ compliance programs.
“We are using every tool at our disposal to combat corporate crime, including more sophisticated data analytics and other means to proactively identify criminal conduct,” Assistant Attorney General Kenneth Polite said in Jan. 17 remarks at Georgetown University.
DoJ authorities have consistently made clear they expect compliance departments to use technological capabilities to detect misconduct as well. In keynote remarks made in October 2021, then-principal associate deputy attorney general John Carlin said, “It’s going to be the expectation [at the DoJ] when evaluating compliance programs that corporations are using the same type of analytics to look for and predict misconduct.”
A sound data analytics compliance program requires companies to monitor beyond traditional sources of data to include their employees’ use of personal devices and third-party messaging applications for business purposes. They must also have the ability to preserve and recover relevant data in the event of an investigation.
In an agency memo issued in September 2022, revising corporate criminal enforcement policies, Deputy Attorney General Lisa Monaco made clear that companies are expected to have policies governing personal devices and third-party messaging apps, employee training on such policies, and enforcement of those policies when violations are identified. LONG-ARROW-RIGHT
The U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission are focusing their sights on illegal uses of personal devices and third-party messaging apps as well, having issued billions in fines in the financial services industry for such violations.
In public comments, Leon said he doesn’t expect companies to have the “shiniest tool,” but rather that they turn data they already have into actionable results. This necessarily requires compliance to have access to relevant data.
According to the Criminal Division’s “Evaluation of Corporate Compliance Programs” guidance, questions to consider include, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/ or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
Just as the DoJ has repeatedly stressed compliance programs should be risk-based, “I would expect they would look at data analytics the same way,” Scott Schools, chief ethics and compliance officer at Uber, said on a recent webinar. “At least from my perspective, I would want to make sure I can defend the level of resources I am expending on data analytics, based on a risk-based analysis.”
Robert Houle, an analytics consulting manager at Baker Tilly, shared some best practices for establishing a data-driven compliance program, including the following:
Map the data. Begin by identifying all the systems across the organization that are capturing data. Consider the following questions: “How is data flowing through those systems? How is the data being manipulated or changed? Does it converge with other systems at some point?”
Collect the data into a centralized dashboard. After mapping out the data, the next step is to extract and consolidate the data from those multiple systems. Once consolidated, the data can then be cleaned and harmonized. Because data is typically pulled from multiple systems, building a reliable data workflow process is important. “If you’re grabbing the wrong data, your visualizations are not going to be relevant,” Houle said. “They might guide you in the wrong direction.”
Analyze and compare the data. This step is where human context comes into play, evaluating for trends by applying filters and interacting with the data in various ways—analyzing data across a specific business function or specific regions, for example. This is also when to introduce algorithms and measure the data against key risk indicators (KRIs).
In practice, a robust data visualization process requires “involving a very focused team that has a strong analytics background,” Houle said. The data analytics team should not work in a silo, he added, but rather work alongside compliance and other functions to understand, for example, “‘What are the risk drivers at the organization? What KRIs are we going to measure against? How are we going to quantify risk?’”
Report out the results from the data visualization exercise. Some questions for compliance to consider are, “Where are the gaps? What do we need to improve upon?” Houle said. This process is an ongoing cycle, starting with a data-driven risk assessment and continuing with continuous auditing and monitoring, he said.
As Polite noted, the DoJ is “working more closely than ever” with law enforcement partners around the world, and that most FCPA resolutions in recent years were “the result of cooperation and coordination with foreign and domestic authorities.” The warning is this: In the event of an investigation, failure to have in place a sound data analytics compliance program can quickly turn into a crossborder nightmare for a multinational company.
Data analytics does not necessarily have to be costly or complex. Companies with limited resources can start by analyzing investigations and complaints data, in combination with cultural surveys, for example, that may collectively point to red flags or trouble spots. Ultimately, the end goal is for the compliance function to draw meaningful and proactive insight into where compliance risks may be present or where improvements may be necessary.
ACI will be holding a forum on data analytics at its “12th Summit on Anti-Corruption Brazil,” taking place May 23–25, at the Intercontinental Hotel in São Paulo | www.FCPAconference.com
“We are using every tool at our disposal to combat corporate crime, including more sophisticated data analytics and other means to proactively identify criminal conduct.”
For questions, concerns or more information about ACI Insights, please contact:
Chris Corbin Associate Director of Marketing American Conference Institute | The Canadian Institute | C5 E: C.Corbin@AmericanConference.com
We are thrilled to announce that the C5 Group of Companies including Canadian Institute, American Conference Institute, and C5, is celebrating 40 years of providing exceptional conference experiences to attendees around the globe. It has been an incredible journey, and we could not have done it without our outstanding team and loyal speakers, sponsors, partners and attendees.
To mark this milestone, we are launching a brand new logo that reflects our commitment to innovation, growth, and excellence. Our new C5 logo embodies the five core principles that define our brand: our commitment to delivering conferences that are Current, Connected, Customer-Centric, Conscientious, and Committed — the five Cs of C5.
As we look back on the past 40 years, we are so grateful and proud of what we have accomplished. We have hosted conferences all over the globe, brought together industry leaders from across industries to share knowledge and insights, and helped countless businesses and professionals grow and succeed.
But we are not done yet. We are more committed than ever to pushing the boundaries of what’s possible and delivering unforgettable conference experiences that leave a lasting impact.
Thank you to everyone who has been a part of our journey so far. Here’s to the next 40 years of continued success!