As global regulators continue to bear down on cross-border anti-corruption and anti-money laundering enforcement, multinational corporations increasingly find themselves on the receiving end of hefty fines and damaging headlines.
In 2020, the SEC issued a number of Foreign Corrupt Practices Act (FCPA) enforcement actions, totalling over $6.4 billion. Two of which were the agency’s largest resolutions ever, totalling more than $5 billion. This summer, the European Commission introduced new legislative proposals to improve the detection of suspicious activities and address gaps that allow for money laundering through financial institutions. And, most recently, the Financial Conduct Authority (FCA) successfully prosecuted a major retail and commercial bank for weak AML controls that led to one client laundering nearly $500 million over the course of several years.
What is of particular concern for multinational organizations, is that many of the recent larger ABC and AML enforcement cases involved companies with compliance policies, procedures and dedicated resources. The underlying issue is a lack of or weak internal controls, and/or poorly defined or executed policies, to help mitigate and surface isolated incidents before they become larger issues down the line. When evaluating your compliance program and the design of supporting policies, procedures and internal controls, business leaders, compliance professionals and their counsel should:
1. Conduct a Comprehensive Compliance Risk Assessment
Many of the organizations coming under recent scrutiny had a compliance program on paper, but lacked the proper controls in practice to identify misconduct. A holistic and ongoing risk assessment can help identify known, hidden or emerging compliance hot spots and evaluate if controls are appropriate and operating effectively. Throughout the assessment, legal and compliance professionals should review current policies and procedures with significant scrutiny. Are they well designed? Are they being applied in good faith?
Once the assessment is complete, based on the identified vulnerabilities, update policies and processes, strengthen internal controls, and conduct training for identified compliance gaps.
Performing ongoing risk assessments also helps institutions decrease over-reliance on existing controls and train employees to develop awareness of control effectiveness.
2. Incoporate the Use of Data Analytics
Organizations maintain more data than ever, and the utilization of it is no longer a leg up but a baseline expectation across many industries and relevant regulators. By leveraging available data sets, institutions can better identify potential anomalies and ‘problematic’ transactions, connect disparate data and uncover patterns. In addition, as the workforce moves to a hybrid model and in-person management oversight remains limited, data analytics can often expose potential issues in ways that even seaoned human auditors cannot. Once vulnerabilities are detected, tighter controls can be created and a more effective response to address potential misconduct can be developed.
The successful use of data analytics can also more accurately present the operational big picture to business leaders and compliance professionals to better inform decision-making and support strategy initiatives across all key business units—a value-add that can drive revenue enhancement, in addition to ensuring robust compliance.
When misconduct inevitably occurs, the use of data analytics often leads to more efficient investigations and root cause analyses, streamlining data requests and extraction, preliminary assessments and detailed analysis and testing. Ultimately, the use of data can help carry out the pragmatic, focused corrective efforts regulators are keen to see.
Ultimately, the use of data can help carry out the pragmatic, focused corrective efforts regulators are keen to see.
3. Remediate, Remediate, Remediate
Time is the essence when it comes to sufficient remediation. Once misconduct is identified, compliance teams and their counsel should start remediation immediately, perform a root cause analysis and begin communicating with key stakeholders, including regulators, boardmembers and employees, as appropriate.
Speaking from experience, the organizations that successfully demonstrate comprehensive efforts to remediate misconduct receive substantially reduced penalties and may also avoid criminal charges and a government-imposed monitor all together.
Mitigating misconduct is a moving target, especially as fraudsters become more sophisticated and increasingly go great lengths to keep their efforts hidden. Therefore, business leaders and compliance professionals are wise to conduct continuous risk assessments, and also continuously challenge whether the prescribed policies, procedures and internal controls are having the desired effect. Integrating data into these efforts helps more efficiently identify potential problems and respond to the evolving risk landscape. Here too, however, organizations and internal audit teams cannot simply rely on superficial data or information from front line staff that themselves do not understand the complexity of the transactions. Data analytics should instead be used to help test high-risk transactions for reasonableness. Finally, when misconduct surfaces, do not delay – remediate right away.
With regulators across the globe and world leader’s laser focused on cross-border anti-corruption enforcement, multinational corporations are less likely to come under scrutiny if they have an effective ABC/AML program that accounts for their global operations in place. To develop and implement a robust ABC/AML program, business leaders and compliance professionals should evaluate their current internal controls, identifying where they may need to be strengthened or added to account for fradulent activitiy, and understand the data sets currently available and how they can be incorporated to help identify potential anomalies.This proactive approach provides the full operations landscape business leaders and decision-makers need to not only mitigate risk before they become larger issues, but to comprehensviely respond when an incident occurs.