Data Analytics May Hold Key to Compliance with South Korea Anti-Graft Scheme

David White is a director at AlixPartners LLP, where he advises clients on information governance, information security and electronic discovery.

You can reach the author at with any questions about the article.


New anti-graft laws that were promulgated by President Park Geun-hye on March 26, 2015 will take effect in South Korea this month.[1] Consistent with other efforts around the globe to combat corruption, the new legislation prohibits the transfer of value to any public servants, employees of public offices and state agencies, teachers, or journalists in excess of predefined amounts. For example, lunch or dinner shall be limited to a maximum of about $30, and gifts to $45. These can be doubled when they are given at family events such as weddings, funerals or the birth of a child. But if the value of the gift given exceeds these amounts, the offender shall be fined up to five times its value, and if it is more than about $850, criminal penalties shall be imposed.

Anti-bribery laws are not new in South Korea. In fact, South Korea was one of the first signatories at the OECD Anti-Bribery Convention in 1997, and in the following year it enacted legislation – the Act on Preventing Bribery of Foreign Public Officials in International Business Transactions (Korean FBPA) – to implement the convention domestically.[2] Criminal and civil penalties for domestic acts of bribery have also been on the books for many years, seeking to discourage both private and public transfers of value in return for favors. However, there are several key differences in the new anti-graft law that may require companies doing business in Korea to reevaluate their compliance programs.

Prior to the anti-graft law, penalties for domestic bribery were only levied after confirming a connection between the received gifts or favors and the activities of civil servants. Under the new law, it is no longer necessary to prove any purpose behind the gift. The gift itself is enough to establish culpability. More importantly, the preexisting anti-bribery laws did not typically impose liability on corporations for bribes made by its employees. Under the new anti-graft law, corporate criminal liability may be imposed for violations by employees, unless the corporation can show it exerted due care and supervision to prevent such a transfer. This latter change will likely entice companies doing business in Korea to ramp up their supervision and compliance controls. But what level of supervision and controls do these companies really need?

Experience from other jurisdictions dictates that the optimal type, placement and quantity of controls is largely driven by the context in which a company operates, the level of the government officials with which a company interacts, and the types of relationships or interactions a company has with those government officials. To assess the risk inherent in a given activity, a company should work to identify and quantify potential transfers of value to regulated recipients. Gifts, travel, meals, jobs for relatives and even contributions to charities may be considered value that could influence the decision-making of the government official, teacher or journalist. All of these factors determine where and by whom the review or approval should be conducted. It is also important to review these activities and provide a mechanism that allows consistent application of this prereview process throughout the organization, with appropriate record keeping and oversight. Companies can’t simply ask people to self-report their expenses and then raise flags when value transfers exceed the statutory limits. Doing so would simply convert overt graft giving to covert money laundering schemes where transfers become hidden.[3]

Fortunately, modern technology can greatly assist in these efforts. One of the most efficient ways that companies can assess what anti-corruption controls are most appropriate is by gathering historic expense and communications data and analyzing specific activities. Predictive analytics tools can then be leveraged to map existing relationships with public officials based on past behavior, and machine-learning algorithms can be used to identify potential future risks related to gift giving. Companies can leverage such tools to properly match the intensity of their controls with the identified risks for each particular activity. Basing assessments on actual data ensures that organizations are deploying their resources both in the right areas and in ways that maintain the defensibility and credibility of the compliance process. Compliance programs will not be supported if they are viewed as an impediment to conducting efficient business and appear unnecessary given perceived risk. This in turn makes it much more difficult to maintain the exact mechanisms that mitigate critical risk, which are expected by government regulators. Since the essence of a compliance program is the prevention, detection and remediation of wrongdoing, a company’s resources should be allocated to activities that pose the highest risk – and with proper data analytics these risks can easily and efficiently be identified and addressed.


[1] The Improper Solicitation and Graft Act (English translation):

[2] Act on Combating Bribery of Foreign Public Officials in International Business Transactions (English translation):

[3] The Organisation for Economic Co-operation and Development recommends financial and accounting procedures that are ‘‘reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, to ensure that they cannot be used for the purpose of foreign bribery or hiding such bribery.’’ “Good Practice Guidance on Internal Controls, Ethics, and Compliance” (February 2010), Annex II at ¶ A7.

Web Topics: 
Risk Management
data management
Communications and Information Technology