The Role of Social Media and AI in Compliance Investigations

| May 29 2019

Can social media posts and data be used as evidence in a compliance investigation? Is it possible to leverage artificial intelligence to identify the right information relevant to an open case among the massive volume of content online? The answer to both questions is yes, and in a new five-part podcast series with Tom Fox, the Compliance Evangelist, we talk about these topics at length from regulatory, technical, and operational perspectives.

Written excerpts from all five parts, edited for clarity, are shared below, as well as links to listen to each episode. To learn more about Hanzo's Compliance Investigations technology, visit our website

Episode 1: The Current State of Compliance Investigations

Tom Fox:
From your perspective, and really the non-lawyer perspective, which I think is important here, what did you see as some of the key guidelines for the compliance practitioner around investigations from the 2019 Department of Justice (DOJ) Evaluation of Corporate Compliance Programs guidance?

Sean Freidlin: I think when that DOJ guidance originally came out, it was a huge resource for compliance teams. Not just to demonstrate the importance of compliance to their senior management and C-suite, and help them understand what they need to demonstrate when it comes to building an effective compliance program, but really I think that the field of compliance is constantly growing and evolving, and for them to have that guidance from the regulatory body that ultimately determines whether or not their programs are effective really helps them understand where they should be focusing their efforts.

In the newly updated guidance released in April 2019, they really focus on investigations, and I think that's because investigations are such a pivotal part of a compliance program. And for a long time, you know, whether it's data from NAVEX Global in their annual hotline benchmark reports or even just data that people are collecting internally, they know that despite the fact that there are hundreds if not thousands of potential investigations being conducted every year in response to hotline and whistleblowing activity, they aren't as effective as they could be or should be.

There were a few key points in this guidance that was shared in April that I thought really, at the very least, supports the case for an investment in more technology around investigations, but also really elevates the standard for what those investigations should look like and what they should involve. There were five or six key points that I want to really focus on that I think are relevant to our conversation and relevant to the conversations you're going to be having with my peers as we progress in this podcast series.

One is having the ability to assess the seriousness of allegations, properly scope each report, and determine whether it merits further investigation and data collection. I think that idea of really diving deeper into collection of data to find more answers, whether it's informing your interview process, validating data that you're getting from the interview, or even just looking for the smoking gun. I think you and I both probably know from our own experiences, yours are obviously deeper and more tenured than mine, that employees are getting to the point where they're smart enough to not incriminate themselves in an email. If they're going to conduct unethical behavior, they're going to use channels that maybe people aren't looking at today, and I think some of that data is missing from investigations in the past.

Two is this idea of keeping investigations objective. appropriately conducted, and properly documented. You and Mike Volkov recently hosted a webinar with the Hanzo team, and documentation and reporting around investigations was a huge talking point. Even the preservation of documents as part of that investigations process; Mike mentioned the fact that if someone is under the assumption that they are being investigated, they might start to delete evidence actively, and even that deletion of that data is almost proving their guilt or at least tipping people off to the potential guilt that they may have.

Listen to episode 1 on iTunes, YouTube, or The FCPA Compliance Report. Watch the webinar below or get a copy in your inbox




Tom Fox: In the first episode of this podcast, we discussed how industry research showed that many compliance investigations today are either unsubstantiated or can take up to 40 days from start to finish. It really seems like the ability to find and analyze data from the web and social media in an automated fashion can help overcome these challenges. Really, more importantly, what the government says is that you must quickly, expeditiously, yet efficiently conclude your investigation. From the company's perspective, if an investigation takes that long a time, the illegal, unethical, or harassment conduct could continue, and it really could drive up the cost in terms of a fine or penalty in an investigation. 

Jim Murphy: I think that you're absolutely right, and the thing that we keep seeing out in the marketplace is that doing some of this investigation work; looking at the web and looking at social media, it's a pretty daunting task. The challenge and problem that we're looking to solve is to make that easy and to remove the friction to really make it accessible to our customer base in a way that works in their workflows, and also works within their schedules to complete a certain task.

Tom Fox: You detailed some of the challenges that this technology can help a company with, and you detailed finding, preserving, archiving and analyzing web and social media based data. I'd like to focus on preserving and archiving, because if you talk to any lawyer who routinely represents clients in front of the government in internal investigations, they uniformly say the government is concerned about your document security. Your archiving and preservation of evidence. I'm just wondering if you could give a few words about the preserving and archiving part, although recognizing that may not be the most sexy part of this, but its certainly a very important part to the regulators.

Jim Murphy: Yeah, absolutely. So everything that we're doing from a preservation perspective is the core of what Hanzo has been doing over the years. The non-sexy part of it I completely relate with. I once did a presentation where I took archived material, and utilizing hashing and metadata, was able to verify and validate that the content that was captured on a particular day, which might have been eight years ago, absolutely was the content that was on that website at that particular day. Now, that's not a fun exercise to watch, but when you need that exercise to be performed, that's something that Hanzo really hangs our hat on. That's where we started off in this industry and we've kept that at the core of everything that we do.

Listen to episode 2 on iTunes, YouTube, or The FCPA Compliance Report 



Jim Murphy: So we spoke last time about the core of what our investigator technology is, and certainly at its foundation is our ability to preserve web content in a legally defensible manner. So understanding that that's good, how are we continuing to enhance what it is that we bring to the market around investigations? The big focus for us as we move forward is on two pillars:

The first pillar being "can I find the right data on the web?"

So we're continuing to integrate with additional data sources, which enhance how it is that we're discovering content, enhance how it is that we're discovering the right subjects, and enhance how we're making that connection between subjects and social media. Our data scientists have a significant focus on making that process more robust, making it faster, and making it more accurate.

The second component where we're really analyzing data, a big focus from our data science team is "how can we analyze this data to make it most useful for our customers?"

One of the directions that we're looking at, I've been referring to it as kind of a "rating ranking" effort. What that really means is, given a corpus of data and given a particular scenario, using machine learning algorithms, am I able to predict and rank? Can I predict how likely it is that there's a risk here for our customers? We know that there's a very limited budget that everybody has to spend in their review and investigation. Our goal is to try and make that budget as effective as possible, so that if there's a ton of data to look through, we can make sure the data you do actually have time and resource to look through is most likely to contain the risky information you need to take a look at.

Tom Fox: The enhanced ability to not only review data, but actually analyze it is something that is always on the forefront of the mind of a compliance practitioner. They often ask "well, I've got this data, what does it mean?" It occurs to me that by helping the compliance practitioner rate and rank the data they have, you can actually makes the investigative process more efficient. Would that be a fair assessment on my part?

Jim Murphy: I think that's absolutely right. What we know is that when it comes time to run an investigation, there's a mountain of data. It's not reasonable to be able to make it through and apply review capacity to everything, and so, we think that it's a very important and very timely aspect to bring to the process; to be able to make sure that we're focusing on the most relevant or most likely to be relevant data.

Listen to episode 3 on iTunes, YouTube, or The FCPA Compliance Report 



Tom Fox: 
I know you spent a lot of time traveling and meeting with different legal and compliance professionals around the country, so at a macro level, what are some of the consistent themes that you are seeing in terms of both problems and solutions for organizations?

Keith Laska: 
I think it comes down to this one prevailing challenge that has a ripple effect throughout an organization. You know, as humans, we create and produce new data faster than we can even process and understand it. Right now, in any office across America, millions of new pieces of unstructured web data are being created with every keystroke by every employee, from website traffic to social media activity to their chats and exchanges and team collaboration tools and email. There's this endless river of data that's flowing with information. Within the corporate compliance and legal functions, managing and understanding data across its life cycle, and understanding the risks, the insights, and the opportunities that exist with that data hasn't been fully embraced and operationalized just yet.

Tom Fox: So I was at a conference this week, a major conference in the compliance space called Compliance Week 2019. One of the keynote speakers was a woman who's quite well known in the compliance space named Hui Chen, and she named, as one of the top challenges for compliance practitioners going forward into the next decade, is the data that's available and the technology around using that data. So when you talk about embracing and operationalizing data within the corporate compliance and legal functions, what does that mean to you?

Keith Laska: I think it comes down to building technology that solves problems as they organically appear and evolve within an organization. Using AI and machine learning are really a part of that solution to processing and controlling the data with the scale and speed that's needed. But it's not some magic bullet that automatically fixes everything, and of course not all AI in tech is created equally. Even the DOJ is elevating their expectations around how compliance teams use and leverage data. Their recently updated guidance on their Evaluation of Corporate Compliance Programs that my colleague Sean spoke about suggests that compliance teams should really leverage the wealth of data they collect to identify any patterns of misconduct and compliance weakness, and also that they should be receiving funding and budget to improve the mechanisms around the processes of conducting and reporting on investigations.

Listen to episode 4 on iTunes or YouTube 



Tom Fox: In our last episode, you were able to give us some of your thoughts and observations, really at a macro level, from your discussions with clients and observations in the industry around how we've moved from utilizing the tools, techniques, and strategies of Hanzo for capturing information from the public web, capturing information internally, archiving it, and using it in a litigation approach, to really a much more proactive approach to help companies streamline and reduce their costs to a very proactive risk mitigation strategy. I was wondering if we could use that as perhaps a starting point. Could you tell us a little bit more about Hanzo’s mission and how Hanzo is helping not only litigation and legal professionals, but the compliance professional, to use the information that is publicly available to help not only measure your risk, but actually manage that risk going forward?

Keith Laska: 
Sure thing Tom. Hanzo’s mission is to help companies be proactive about reducing active litigation. And there are a couple of data points that are really driving the growth of Honzo as a viable solution for compliance and legal professionals, certainly in the U.S., and around the globe.

The first is that according to Dr. Michael Palmer, who wrote a fantastic paper entitled Litigation Risk Management, organizations spend up to 33% of their operating profits on litigation. That's about $23 billion per annum among large U.S. corporations. So obviously companies spend a lot of money in litigation.

The second data point that's interesting is general harassment and of course sexual harassment charges filed with the EEOC are rising by 12% in just one year, largely because of the #MeToo movement, and that's something that corporations are trying to grasp and grapple with. The time it takes to investigate these, and other claims, are falling way outside of the recommended compliance guidelines. And you imagine the effect of that, not only for the company, but the individual who is going through that particular situation.

The third data point is that 86% of US citizens use social media every day. So this is interesting. There's a wide adoption of social media and it's blurred the lines between private company communication like Slack and Sharepoint, Microsoft Teams, and then public social media sites like Facebook, Twitter, Instagram, LinkedIn, and Snapchat. So now you have this interesting dynamic where employees are commonly connecting with each other outside of company networks. They're connecting with each other on Facebook and Instagram and Snapchat, and this is increasing compliance risk in areas that many compliance professionals find hard to understand, if not impossible to analyze.

Tom Fox: Let me just pick up on that last point because you, said that the connections outside the business world are an increased risk. But could I flip that and say that those connections outside the business world that employees are making actually is an opportunity for companies to see if they need to engage in a more robust risk management strategy? Just to see if employees are thinking about, or even doing things, that if are not illegal, maybe unethical, that a company wants to stop before it moves to a true legal violation or something that could be the subject of a civil litigation and monetary damages. Is that an opportunity for companies?

Keith Laska: Without a doubt. You know, I quote my beloved grandfather once told me “if it walks like a duck and quacks like a duck, it's probably a duck.”

If you find continuing abusive behavior on public channels, and people who don't have regard for ethical behavior and kind behavior towards other individuals, the chances are that individual is going to replicate that behavior in other places as well. So while it might not serve to be a smoking gun, so to speak, it will serve to be influential in the process of what you consider to be the right type of individuals to bring into your culture. Whether that be employee screening or individuals who might have a propensity to take things they shouldn't take from the corporation or people who happen to find it a normal, unfortunately, to harass others in a public or even private forum. So there's a lot of value there for corporations to get ahead of and be in charge of if they can.

Tom Fox: That's one of the things that compliance practitioners are really struggling with now. Not only what information should they be looking at, but how they should be utilizing that information.

Listen to episode 5 on iTunes or YouTube 


To learn more about Hanzo's technology for compliance teams, which enables organizations to capture and preserve data and content from the web, social media, and internal communication channels, automate online monitoring, and improve investigations into misconduct stemming from hotline reporting, visit our website or schedule a 20-minute demo to see how it works using the calendar tool embedded below.



Related posts

3 Brilliant Examples of Interactive Digital Marketing and Why They're Compliance Risks

3 Brilliant Examples of...

Every department in an organization is a potential source of risk that compliance professionals need to understand, ...

Read More >
Podcast: Jim Murphy on the Dangers in Using Slack

Podcast: Jim Murphy on the...

A discussion featuring compliance evangelist, Tom Fox and Jim Murphy, VP of Product at Hanzo. As Slack becomes a new ...

Read More >
Real-World Social Media Investigations: Omar and Jenny Ambuila

Real-World Social Media...

You know what’s helpful when you’re trying to keep a multimillion-dollar international bribery scheme going? A ...

Read More >

Get in Touch to Learn More

Hanzo’s purpose-built, best-in-class solutions can help your readiness to respond to the next discovery request, investigation, or audit. Contact us to learn more.

Contact Us