A version of this article originally appeared in the June issue of Cosmos.
Better integration of data analytics and technology into corporate compliance programmes fosters rapid transformation, supporting the deployment of automated controls, real-time monitoring, and predictive risk assessments. The age of artificial intelligence (AI) and ML has arrived.
However, the fundamentals of building and implementing a data-enabled compliance programme remain largely unchanged. And the potential cost of neglecting data analytics in a corporate compliance programme has never been higher.
Technology advances, obstacles remain
Technology enablement should remain a high priority for compliance officers. Companies of all sizes now have access to affordable analytic solutions, even if not every firm deploys them effectively.
But many compliance teams find themselves uncertain about what data to collect, how to interpret the results and how to integrate insights into day-to-day operations. This "analytics anxiety" can be paralysing as teams anticipate the ways a regulator or prosecutor could backseat drive their analytics programme.
Nonetheless, the policymakers’ message remains unchanged: leveraging technology and data is a prerequisite to demonstrating a genuine commitment to compliance.
The June 2020 update to DOJ’s ECCP guidance emphasised the need for businesses to collect, analyse and act on key compliance-related data. The September 2024 ECCP does two things:
- It asks, “Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programmes?”
- It requires companies to “assess how the company has leveraged its data to gain insights into the effectiveness of its compliance programme and otherwise sought to promote an organisational culture that encourages ethical conduct and a commitment to compliance”.
Recent public statements from senior DOJ officials, including former Deputy Attorney General Lisa Monaco, have re-emphasised the importance of leveraging analytics to detect emerging threats and maintain a pulse on an organisation’s compliance health.
Many might have expected that today every major compliance function would be fully tech-enabled. But in practice, adoption has been uneven. While many organisations have integrated analytics for specific compliance tasks (like real-time transaction monitoring), others are still testing the waters.
The challenges they face are not entirely new: budget constraints, legacy systems, limited in-house expertise, or a change-averse corporate culture. What we see today is a world where technology has advanced, but the fundamental organisational obstacles to adoption remain.
The rise of GenAI and new providers
GenAI models can produce everything from realistic text to high-quality synthetic data, potentially disrupting how compliance teams operate. From automating policy drafting to analysing vast data sets for hidden correlations, GenAI has caught the eye of compliance officers, legal counsel and chief financial officers alike. It promises efficiency gains but also raises new questions about data privacy, bias, emerging threats, and risk oversight.
The number of third-party providers now offering specialised compliance analytics solutions has increased in recent years. Previously, many organisations – especially well-capitalised businesses with robust internal data science capabilities – built bespoke solutions. Today, the maturing vendor market gives compliance teams viable options to adopt a “buy” approach. These solutions promise prepackaged analytics, ML algorithms for fraud detection, and dashboards tailored to compliance workflows.
However, many providers still focus on narrow slices of the broader compliance puzzle, such as vendor screening or expense monitoring. What they don’t do is integrate cross-functional data sets to produce novel insights about enterprise-level risk. Organisations face a patchwork of point solutions that can be complex to integrate. Still, a hybrid approach – buy and then customise – has gained popularity.
The four principles of technology adoption
Although technology and regulatory landscapes are advancing, the core principles for adopting data-driven compliance remain as valid today as ever. The cyclical approach of Assess, Plan, Gather, and Build is a proven model that continues to guide effective technology integration.
Assess
- Identify compliance pain points: Are you dealing with repeated internal control failures in specific markets? Are you noticing more frequent third-party violations?
- Evaluate your data readiness: Before deploying advanced tools like AI, make sure your organisation’s data is clean, consolidated, and accessible.
Plan
- Define your objectives: Is your primary goal to enhance detection, automate manual tasks or achieve better risk forecasting?
- Establish stakeholder alignment: Collaborate with legal, IT, finance and each functional business unit to envision how technology will enable compliance.
Gather
- Collect relevant data: Gather structured and unstructured data from internal systems (for example, enterprise resource planning systems, human resource databases) and external sources (for example, adverse media, sanctions lists).
- Assemble the right team: You may need data scientists, legal and accounting experts, and business analysts to work in tandem.
Build
- Deploy incrementally: Start with a pilot project, not a massive overhaul.
- Test and refine: Evaluate your initial results, gather feedback, and refine your approach to ensure meaningful insights and minimise false positives.
This cyclical approach should be a continuous, iterative process, improving technology adoption within the compliance function incrementally.
For many, the question of the day is how to harness GenAI responsibly. The same four-step process applies. Pilot an AI solution on a narrow use case – analyse travel and expense patterns for anomalies or search for redundant customer or vendor financial data that might warrant further consideration – then expand to more complex tasks, like interpreting third-party due diligence reports.
Embrace GenAI as a powerful tool – not a silver bullet. Human oversight, robust data governance and clear processes remain critical to mitigate the new risks that come with AI-driven systems.
A virtuous cycle, not a destination
Regulators continue to insist that data-driven compliance tools are essential, not optional. The near-universal availability of AI technology and expanding roster of vendors promising end-to-end solutions mark the swell of a new wave of innovation.
While technology moves fast, the core tenets of adopting new tools remain steady. The road to value lies in revisiting the fundamentals: Assess, Plan, Gather, and Build. Companies that integrate analytics into daily operations step-by-step can cultivate a proactive compliance culture that identifies issues before they become crises. Compliance leaders should focus on creating a virtuous cycle where each new data-driven insight informs the next phase of planning and improvement.
A thoughtful, incremental approach to leveraging technology allows compliance teams to scale capabilities and respond to emerging risks with agility. Find out more about how we can support your organisation.