by Shruti Shah and Jonathan J. Rusch
As they work to maintain the effectiveness of their anti-corruption risk and compliance programs, companies must be increasingly attentive to how well they make use of the data they acquire that are relevant to those programs. The most recent edition of the U.S. Department of Justice’s “Evaluation of Corporate Compliance Programs” document states that prosecutors should inquire into whether compliance and control personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions,” and whether “any impediments exist that limit access to relevant sources of data.”[1]
Companies, however, are increasingly awash in such data from a multiplicity of sources: accounts payable, spend data, third-party supplier data, to name just a few. Many companies make use of rule-based programming, in which human programmers write rules that enable the company to search for and find data indicative of corruption risk. But some companies are increasingly curious about whether they should use a particular field of artificial intelligence: machine learning, in which computer systems “learn” on their own from data and do not depend on human-written rules.
To assist companies in this process, the Coalition for Integrity has now issued a guidance document, Using Machine Learning for Anti-Corruption Risk and Compliance (PDF: 2.8 MB).[2] The guidance states that it is intended “to provide companies in multiple sectors with guidance on whether and how they should consider developing or acquiring anti-corruption machine learning.” In particular, the guidance has four stated objectives:
(1) Identify what types of machine learning warrant consideration for anti-corruption risk and compliance;
(2) Discuss various current uses of machine learning for anti-corruption purposes, including corporate uses for anti-corruption risk and compliance;
(3) State and discuss key considerations in evaluating whether and how to pursue the use of machine learning for anti-corruption risk and compliance; and
(4) Present recommendations and conclusions about what companies should do, particularly in the current economic environment, in considering whether to incorporate anti-corruption machine learning into its governance, risk, and compliance functions.[3]
This post will summarize the key points of the guidance, including how companies should consider whether they have a business case for using anti-corruption machine learning, what steps they should follow in developing such a solution, and which ethical, legal, and governance issues they should address as part of the development process.
What Is the Business Case for Anti-Corruption Machine Learning?
The guidance document first discusses the elements of a company’s anti-corruption compliance program that could benefit from machine learning. These include anti-corruption risk assessment, third-party due diligence and payments, and continuous improvement and periodic testing.[4]
It also notes that before starting any serious consideration of developing or acquiring an anti-corruption machine learning solution, “a company must first articulate a business case for doing so: i.e., determine that there is sufficient justification for adopting and implementing machine learning for anti-corruption purposes, based on its unique risk profile and a frank evaluation of the benefits, costs, and risks of that machine learning.”[5]
To decide whether it has such a business case, the company should consider (1) the relative advantages of rule-based programming versus machine learning (e.g., rule-based programming may be better suited to situations in which the company is reviewing lower volumes of data and the rules that programmers are writing are relatively simple), (2) whether it has “an adequate complement of risk and compliance professionals who would have the necessary training and expertise to make effective use of a machine learning solution’s output,” (3) “whether a machine-learning solution should address a broader range of [the company’s] risks than anti-corruption” (e.g., insider risk), and (4) “both the potential cost and the potential return on investment that a machine learning solution could entail.”[6]
How Should Companies Develop an Anti-Corruption Machine Learning Solution?
Once it has determined that there is a business case for doing so, the guidance explains, a company should then work to develop its machine learning solution in a series of five steps: (1) framing a machine learning problem, which requires the company to define the anti-corruption related machine learning problem as precisely as it can, and proposing a solution; (2) constructing a dataset of sufficient size for that solution; (3) transforming the data (e.g., “changing data types, handling missing data, removing nonalphanumeric characters, and converting categorical data to numerical data”); (4) training the model, which includes the use of training, validation, and testing datasets; and (5) making predictions and assessing the solution’s performance. That latter step requires a company, on a continuing basis, to analyze the predictions its model is making, in order to assess how well the actual data that the model uses fit into the machine learning model and determine that there are no significant concerns such as sample bias or learning bias.[7]
The guidance document also provides three examples of companies that have developed and implemented anti-corruption machine learning solutions: AB InBev; Microsoft; and Alexion Pharmaceuticals. In each case, the document discusses the background to each company’s decision-making process and the type of machine learning solution it adopted.[8]
What Other Issues Does Anti-Corruption Machine Learning Implicate?
Finally, anti-corruption machine learning, like other types of artificial intelligence, raises a number of ethical, legal, and governance issues, such as the responsible design and use of artificial intelligence systems, data privacy and cybersecurity concerns, and the potential need to revise existing governance and compliance structures and processes. The guidance document therefore urges that a company “review its codes of ethics to see whether and how those codes address the ethical dimensions of machine learning”, with particular reference to responsible design and use of machine learning.[9] It also identifies a number of legal issues that the company’s use of its anti-corruption machine learning solution may raise, such as data privacy, cybersecurity, and use of machine learning for lawful purposes.[10] Finally, it observes that the company needs to “examine and revise as necessary its existing governance and compliance structures and processes with reference to that solution,” as it may need to make substantial governance and structural changes to make possible an enterprise-wide anti-corruption solution.[11]
Conclusions
In its conclusions, the guidance document makes clear that companies “should take this guidance not as a recommendation that they immediately pursue anti-corruption machine learning, but rather as a template to assist them in internal and external discussions about possible deployment of anti-corruption machine learning.”[12] It further states that it would be inappropriate to say that all companies, regardless of size, business model, and financial resources, need to adopt anti-corruption machine learning, or that regulators will expect all companies to incorporate anti-corruption machine learning into their compliance programs. But experience to date indicates that anti-corruption machine learning holds considerable promise, and that companies should take that into account in deciding how to improve their anti-corruption and related compliance programs.[13]
Although there is no single “yes or no” answer to whether a particular company should adopt anti-corruption machine learning, the Coalition for Integrity’s guidance document can significantly assist chief legal and compliance officers and other senior management in making that decision.
Footnotes
[1] Criminal Division, U.S. Dep’t of Justice, Evaluation of Corporate Compliance Programs 12 (updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download (PDF: 215 KB).
[2] Coalition for Integrity, Using Machine Learning for Anti-Corruption Risk and Compliance 6 (Apr. 8, 2021), https://www.coalitionforintegrity.org/wp-content/uploads/2021/04/Using-Machine-Learning-for-Anti-Corruption-Risk-and-Compliance.pdf (PDF: 2.8 MB).
[3] Id. at 9.
[4] Id. at 13-15.
[5] Id. 15.
[6] Id. 15-18.
[7] Id. 18-38.
[8] See id. 39-54.
[9] Id. 55-58.
[10] Id. 58-65.
[11] Id. 65-66.
[12] Id. 68.
[13] Id. 67
Shruti Shah is President and CEO of the Coalition for Integrity, a nonprofit organization that works with a broad network of individuals and organizations to combat corruption and promote integrity in the public and private sectors. Jonathan J. Rusch is a Senior Fellow at New York University School of Law’s Program on Corporate Compliance and Enforcement, Adjunct Professor at Georgetown University and American University Washington College of Law, and Principal of DTG Risk & Compliance LLC. He is a former Deputy Chief in the U.S. Department of Justice’s Fraud Section, and former Head of Anti-Bribery & Corruption Governance at Wells Fargo.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.