Over the past few blog posts, I have been considering the use of artificial intelligence (AI) to make compliance more robust in the three prongs of prevent, detect and remediate. This series has been based upon an article in the Harvard Business Review (HBR), entitled “Artificial Intelligence for the Real World” by Thomas H. Davenport and Rajeev Ronanki, which laid out a structure that every Chief Compliance Officer (CCO) and compliance practitioner can use to think through how AI could be applied in your organization. Today I wrap up the series by considering how the corporate compliance function will be changed by AI going forward and the specific initiatives cognitive technologies could bring to compliance now.

If there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform.

As Hui Chen has noted the Department of Justice (DOJ) has established a Data Analytics Team in the Fraud Section. This will only drive more and greater use of data in compliance for companies under Foreign Corrupt Practices Act (FCPA) scrutiny. This in turn will drive the compliance function to embrace data, data analytics and its use to create a best practices compliance program. There will no doubt be complainers who claim that data analytics were not discussed when the FCPA was enacted in 1977 and it should therefore not be a part of a compliance program today. Such an inane response is akin to a failure to embrace computer technology some 25 years ago.

One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it. But AI is not simply replacing humans with technology but it is the blending of a cognitive system within overall structured jobs. This is where the human element comes in to provide interpretation and context for the data generated with an AI process.

An article in the MIT Sloan Management Review, entitled “Building a More Intelligent Enterpriseby Paul J. H. Schoemaker and Phillip E. Tetlock, explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The article provided several different types of projects that I have adapted to demonstrate how AI can be used for compliance.

The reason is simply that AI can make compliance more effective and more efficient but in the next economic iteration, compliance and business advantages will increasingly depend on a shared capacity to make superior judgments and choices. AI is a step which weds the human interaction and experiences with the data which is available to every company – its own internal information which is most generally sitting in siloed verticals and not being used. This data can provide the foundation for a more robust risk management process, including forecasting, risk assessment and risk-based monitoring through AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities.

What are some of the different types of projects which how AI can be used for compliance? A prime example may be the Transparency International – Corruptions Perceptions Index (TI-CPI), which most compliance practitioners rely on for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used for so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach.

Consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer.

Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with BD, what was the spend on gifts, travel and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the FCPA perspective, is the customer representative entertaining a foreign government official under the Act? If so, what is the aggregate spend on any one such customer representative over a 12-month period by one BD representative? What is the BD spend on one particular government official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends?

Are there any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and is there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance?

If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee?

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition.

As with the adoption of any new technology there will be bumps in the road. However the blending of cognitive technologies with the subject matter expertise of a compliance professional could truly advance compliance quicker and in directions currently not envisioned. It certainly portends an exciting time to be in this profession.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018