Yesterday I celebrated the signing of the Declaration of Independence and, more particularly, the signature of John Hancock as emblematic of culture change in a compliance program. Today I want to celebrate another well-known revolutionary figure to illustrate another component of a best practices compliance program, Paul Revere.
One of my great enjoyments is listening to The Great Courses lectures. I am currently working through a series entitled “The Surveillance State: Big Data, Freedom, and You” by Professor Paul Rosenzweig. In his lecture entitled “Metadata: Legal or Not?” he discusses how the use of metadata by law enforcement authorities can help them see the bigger picture, as opposed to the tactical surveillance achieved through individual wire taps or internets caches. As an example he talked about how British counter-intelligence experts might have been better served to focus on Paul Revere rather than individual figures in pre-Revolutionary Boston.
The reason – Revere was the central contact between the key revolutionary figures. If the British had identified and then focused their surveillance on Revere, they would have not only discovered who was involved on the Patriot side but might have been able to garner specific intelligence on their plotting. It turned out that Revere was the key figure running communications to and between the Patriots. Today we might call this type of surveillance, reviewing social data to determine connections.
The Department of Justice (DOJ) has used this technique to drive industry sweeps of Foreign Corrupt Practices Act (FCPA) enforcement actions. The Vetco Gray FCPA enforcement action led the DOJ to the company’s corrupt freight forwarder, Panalpina. Someone got the idea that if Panalpina was paying bribes to import equipment into Nigeria for Vetco Gray, perhaps Panalpina was doing so for other energy companies. It turned out they were and that led to ‘Panalpina Settlement Day’ in November 2010, where six companies resolved FCPA enforcement actions for total fines and penalties of approximately $235MM.
This same technique was used in the tech industry. When hardware and software companies bid on large RFPs from national energy concerns or state owned enterprises, they generally work through third party agents who aggregate the bid responses for submission. By identifying the third parties, the DOJ was able to see which tech companies might have violated the FCPA.The DOJ picked up on that model through the HP enforcement action.
Two articles in the Financial Times (FT) pointed out how the use of such metadata can be an effective tool in the detect prong of a best practices compliance program. In the first article, entitled “Rogues revealed by bad language”, Jennifer Thompson reported on research by Ernst & Young (E&Y) on information they received from the Federal Bureau of Investigation (FBI). Thompson reported that “Phrases such “as “nobody will find out”, “cover up” and “off the books” are among those most likely to litter the in-boxes of corporate rogues, according to fraud investigators deploying increasingly popular linguistic software.” Moreover, “Expressions such as “special fees” and “friendly payments” abound for those embroiled in bribery cases, while rogue employees feeling the heat are likeliest to write that they “want no part of this” as well as the somewhat misguided “don’t leave a trail”.”
The technology angle is that there is software available, which performs linguistic analysis that “initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations and can be tailored for particular types of employees, such as traders.” Further, Thompson noted that the “use of technology is set to grow as compliance departments police sprawling organisations to avert potentially costly mistakes.”
The second article, entitled “Counter-terrorism tools used to spot fraud”, by Richard Waters detailed how “JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money.” While the article focused on the use of the software to spot fraudsters, I believe that such techniques could well be brought in to help in the fight against corruption and bribery.
Catelas Inc. takes another approach. Their software provides the FCPA compliance professional a different way to continuously monitor within a company for possible red flags and to begin to organize and implement a FCPA compliance investigation in a more cost effective manner.
The software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The product then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.
From this data, you can create visual relationship maps. These maps can assist a company to focus resources in any FCPA compliance investigation on any persons within the company that an individual under investigation has interpersonal relationships. The thesis of this approach is that data and information move through trusted relationships. A person who may be involved in a FCPA compliance matter, would be more likely to use such trusted relationships within a company, rather than involving others, to transmit data and information or to engage in any FCPA violative activity.
This approach can assist an investigator in not only finding out what may have transpired in the past but it also allows the investigator to focus who should be questioned going forward. Such relationship maps can also inform the overall investigation protocol by allowing a company to key in on certain persons and transactions; rather than simply running the entire company’s email database through a key word search program, or worse yet, having a law firm (presumably young associate) read every email, at the earliest, preliminary investigative stage.
By automatically uncovering who is talking to whom, when they connected and how well they know each other, you can identify both the internal and external people most likely to be involved. This allows you to review more relevant data and, from that point, expand the scope of any FCPA investigation as warranted.
Think about the foregoing in our example of Paul Revere and the use of metadata. If the British had considered that one person was the key among the many Patriots, this might have raised a red flag (no pun intended) for additional review. Finally, always remember that any of the three technological solutions outlined in this article deal with your own data. It is just sitting there, waiting for you to access and then use it.
Analyzing your own company’s metadata can provide insights into possible red flags for review.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016