Best Practices for Using Data Analytics in Corporate Compliance Programs

The Department of Justice (“DOJ”) recently released two new updates to the Evaluation of Corporate Compliance Programs (“ECCP”) that underscore the need for companies to have strong data-driven compliance programs. Indeed, as the current Administration continues to rely on compliance departments as a key line of defense for preventing and detecting corporate crime, metrics that showcase an effective compliance program could result in much less serious enforcement actions or fines.

The ECCP, a document used by prosecutors to determine the effectiveness of a compliance program “both at the time of the offense and at the time of the charging decision and resolution,” was updated in June 2020 to emphasize the need for companies to take a data-driven approach to increase the effectiveness of corporate compliance programs. The ECCP states that companies must examine all sources of data available within the organization to determine relevancy and implement practical uses of the data. Thus, compliance and other key personnel must consider whether the data is adequate for continuous monitoring and testing policies and controls.

The first of the new updates issued in March 2023 (Revised ECCP)  requires companies to develop compensation structures that encourage a culture of compliance (i.e., incentivize compliance and disincentivize non-compliance). Incentives may include promotions, rewards, or bonuses. In contrast, disincentives may include compensation clawbacks. The second update applies to the use of personal devices, communications platforms, and messaging applications. To comply with this second update, companies should implement tailored policies and procedures to preserve data if needed for a potential DOJ review.

Below are four ways that companies can use data analytics to ensure their compliance programs conform with the latest updates to the ECCP:

1. 1. Evaluate the effectiveness of policies and procedures – Companies can use data analytics to determine how effectively their policies and procedures mitigate risk. Regarding the latest changes related to compensation structures, data can be analyzed to determine the number of substantiated allegations, the average time to resolve an investigation, and the consistency of disciplinary actions across the organization.

2. 2. Monitor communication channels for suspicious activity – Monitoring communication channels through data analytics can assist companies in identifying non-compliant or unethical behavior. Through information found in e-mails, messages, and phone calls, organizations can identify employees engaging in corrupt practices and determine appropriate disciplinary measures.

3. 3. Access real-time data – Organizations can use data analytics to access real-time data, allowing stakeholders to make informed decisions based on the latest information. Companies can quickly shift their efforts to ensure a more effective compliance program. For example, firms can monitor metrics to determine if incentives positively impact the compliance culture.

4. 4. Identify trends – Historical information can help predict where issues may arise and allow organizations to take proactive action. Regarding the most recent ECCP updates, companies can track the relationship between incentives and compliance with policies and procedures.

A data-driven approach positions organizations to be proactive about their corporate compliance programs. Instead of waiting for the DOJ to come knocking, companies can use real-time information to ensure their compliance controls effectively prevent and/or detect wrongdoing and have the company in a position to respond to regulatory changes swiftly.

Written by: