An interview with Hui Chen, Compliance Counsel Expert at the U.S. Department of Justice (2015-2017)
In this interview, conducted by Lextegrity, former Department of Justice Compliance Counsel Expert and renowned ethics and compliance expert, speaker, and consultant Hui Chen shares her wealth of experience and insights on how compliance data analytics should be used to meet the Department of Justice’s expectations.
(Editor’s Note: Within this interview, Hui is speaking on behalf of herself, and not on behalf of any current or past employer.)
As an overview, can you discuss what the Department of Justice expects when evaluating a company’s compliance program?
The Department of Justice asks three key questions when evaluating corporate compliance programs. First, the department wants to know if a company’s compliance program is well designed. Second, the department considers whether the program is adequately resourced and capable of functioning effectively. Third, the department questions whether a company’s compliance program is working in practice. There’s no single solution for companies seeking to meet these expectations, but integrating data analytics into your compliance program is a good place to start. Prosecutors want to see evidence to back up claims, and data—rather than presumptions and opinions—offer the most objective and verifiable evidence.
What are your general observations on where most compliance organizations are today with respect to understanding their company’s data?
Although there is growing interest in using data, most compliance departments have remained at the very rudimentary level in terms of data analytics. Most importantly, most compliance departments are not in the habit of monitoring their company’s business data, such as their enterprise financial data, for compliance risks. I recall a discussion I had with a Fortune 100 high-tech client whose compliance officer insisted that her company didn’t have data on the marketing money being spent on distributors and data about the revenue those distributors were bringing in. The fact that she believed that was astonishing to me: these are basic kinds of data that every company needs to run its business. Understanding business data is the first step in understanding business, and understanding business is a fundamental necessity in order to be effective in driving compliance.
When people hear the word “data,” they often assume you’re talking about numbers. But what does data analytics mean to you?
Data simply means information, and data analytics is about making sense of information: It’s about trends, patterns, and outliers. For example, compliance organizations often rely on basic data like the number of investigations that are open or substantiated and the distribution of those cases in each country. Just looking at such raw numbers doesn’t tell you very much. For example, you wouldn’t immediately know whether having a low number of open or substantiated cases is good or bad because the number itself doesn’t tell you that. A low number of open or substantiated cases might be due to people being scared to report matters or poor investigative capacities.
You have to put that data in context with other risk data, such as results from monitoring and auditing transactions in that same market. So, if you are finding a lot of non-compliance in your monitoring efforts in that same country, then you know your investigation numbers are not a reliable barometer of reporting. Even if you have substantiated investigations, more widespread monitoring and testing of transactions might even show you that your problems are more serious or widespread than the issues uncovered in those matters, or that your investigations have not been sufficiently thorough.
With all of this in mind, does the Department of Justice actively expect companies to use data analytics in their compliance programs?
Absolutely. Regulators and law enforcement have seen compliance programs with data analytics like the ones I mentioned above and have gone to academic conferences to see the latest research on compliance data analytics. They’re also doing data analytics themselves. The fundamental question that I have advised prosecutors to think about when evaluating a company’s compliance program is whether the compliance program is using data analytics like the rest of the company.
I can hardly think of any major companies that don’t use data analytics in some way. If a company is using data analytics to make money, such as tracking and predicting customer behaviors, but isn’t using data analytics to prevent wrongdoing, that seems like a deliberate choice to blindfold compliance. Companies can’t say that they don’t know how to use data analytics because it’s already being used in departments other than compliance.
How does the department know if a corporation’s compliance program is well designed?
The department has singled out risk management processes and risk-tailored resource allocation, among other factors, as key things to consider when evaluating a compliance program. When judging a program’s risk management process, prosecutors are considering what information and metrics—in other words, data—companies are using to help detect forms of misconduct. As mentioned, basic top 20 lists and other raw data points are insufficient tools to actively detect misconduct. However, data analytics using multiple data sets can provide genuinely impactful insights that can uncover patterns and trends that might have otherwise gone unnoticed.
As for risk-tailored resource allocation, one indicator is when a company devotes a disproportionate amount of time to monitoring low-risk areas instead of high-risk areas. For example, many compliance departments love to focus on travel and entertainment expenses which average maybe $100 per transaction, while they fail to pay attention to third party payments that are tens of thousands per transaction. Another example is a client who told me that 80 percent of their third-parties are designated as high-risk through their due diligence process, which causes that designation to lose all meaning. They got to this point because the company’s different departments were risk rating third-parties differently in their manual and subjective diligence process. This could’ve been avoided if the company relied more heavily on objective data from their financial systems, rather than solely the subjective data from their due diligence processes, to ensure it was monitoring the targeted third parties for different types of risks.
Does the Department of Justice emphasize the importance of effective third-party management when evaluating a company’s compliance program?
We need to remember that the Department of Justice evaluates compliance program in the specific context of their prosecutions. Given the frequency with which third parties have played a role in corporate criminal activities, that is one area that constantly comes under scrutiny. Traditionally, companies emphasize due diligence in managing third-party risks. Due diligence, however, is only the first step in that risk management. The risk doesn’t just come from who they were when they were onboarded: they come from what the third parties do with your company on a continuing basis. An adequate compliance program needs to follow robust onboarding processes with active ongoing transaction monitoring.
How important is it to the Department of Justice for companies’ compliance programs to be based on objective, data-driven information, rather than subjective decision-making?
It’s extremely important. The Department of Justice is a prosecuting agency, and prosecutors want evidence. As I mentioned, a major limitation of traditional third-party risk management is that it relies on subjective decisions about what is high-risk or not. People think, “Well, for this type of risk we think that marketing vendors must be high risk, so let’s categorize all marketing vendors as high risk.” What is the evidence that all marketing vendors present the same level of risk? Broad categorizations based on nothing other than people’s gut feelings is not a responsible way of conducting compliance.
On the other hand, data can provide a compliance team with objective evidence and assessments about their company’s risks, including third-party risks. This shows prosecutors that your company is committed to evidence-based risk detection and proactively detecting wrongdoing, which is what prosecutors are used to.
As for the Department of Justice’s second expectation, how do prosecutors determine if a compliance program is adequately resourced and empowered to function effectively?
The Department of Justice has specifically cited data resources—and access to that data – as a key component of this question. Prosecutors expect companies to use data to demonstrate that compliance resourcing is proportionate to the risks presented by the company’s business profile. This means the evidence about resourcing and effectiveness must be built on data relating to the company’s business model and operations.
Data analytics is about putting the pieces of the puzzle together. It’s the big picture, not the raw data. All of the interesting data, when it comes to compliance, comes from the business data, aside from investigations data. The team that puts it together and tells a story that impacts business decisions will be valued in the company. If I were a compliance person, I’d want to be the one to paint this narrative and inform the business about what issues the company should prioritize from a risk mitigation perspective. That data is sitting in companies’ financial systems and business systems. It’s already there.
Though the Department of Justice expects companies to leverage their data in their compliance programs, companies remain hesitant about investing in compliance data analytics. How would you convince companies to take the plunge?
Using data in compliance isn’t just about satisfying the prosecutors if and when you get in trouble. It is about compliance demonstrating value to the rest of the company every single day. Yes, using data analytics is in line with Department of Justice expectations and can help companies avoid expensive and reputation-damaging legal cases. More importantly, compliance teams that make use of business data can uncover everything from fraud to waste and inefficiencies in the company’s use of resources. When compliance data analytics identifies issues such as duplicate vendors or invoices or paying vendors too quickly, compliance can literally quantify its contribution to the company’s bottom line.
Once compliance data analytics are implemented, functions beyond Compliance across the enterprise can benefit. Internal Audit teams can reorganize their efforts to focus less on labor and cost-intensive periodic sample-based audits, where they fly a team of auditors across the world for two weeks to review a small sample of transactions, to leverage more comprehensive data analytics and doing deeper forensic reviews and third-party audits based on the findings of the data analytics. The Investigations team can access real-time data—risk-scored transactions for vendors and employees—without having to reach out to IT and Finance, and can then scope and resolve their investigations far more quickly and satisfy the ever-present demands of the business leadership for faster close-out of investigations.
The Finance and Procurement organization can use the same data analytics to review existing and new third-party engagements and rationalize the vendor base to reduce risk for the organization. And finally, business leadership can have real data that shows them their spend and their risk and can feel more empowered to decide whether the money they are spending is justified by the risk posed. Compliance teams often talk about shifting accountability for compliance to the business—for them to “own their compliance.” What better way to do that than to give the business the tools to do just that—actual risk data for their teams’ financial transactions.
ABOUT THE EXPERT
Hui Chen served as the first-ever Compliance Counsel Expert at the U.S. Department of Justice, where she was the exclusive consultant to federal prosecutors in the Fraud Section on evaluating corporate ethics & compliance programs. She is the author of the Fraud Section’s “Evaluation of Corporate Compliance” – predecessor to the Criminal Division’s Guidance on the same, which has served as an essential resource for compliance practitioners around the world. Prior to being retained by the Department of Justice, Hui served as a senior compliance leader in technology (Microsoft), biopharmaceuticals (Pfizer), and financial services (Standard Chartered Bank). Hui is also a contributing author to the recent Cambridge University Press book on Measuring Compliance, where she specifically addresses how legal and regulatory regimes measure compliance effectiveness.
This interview has been abridged for space considerations. To read the full version, please visit https://www.lextegrity.com/doj-expectations-compliance-data-analytics
This article also appears in the Fall 2022 issue of Ethisphere Magazine. To read the full issue, click here.
