Commentary by Jason Gardner
With penalties for financial crime compliance failures in recent years hitting record highs, you can say there are billions of reasons to pay more attention to this roling area to better ensure your firm is not a target for criminals, regulators or the media.
It’s a lot easier, though, to talk about improving compliance in the safe, esoteric world of what should be done rather than getting in the trenches and actually creating a reasonably bulletproof program while balancing budgets, allaying business line pressures and foils, talent and staffing shortages and garnering the all important senior management buy-in.
But there are some key tenets, or hallmarks, that harried professionals can use as a guide in creating a corporate, enterprise-wide compliance program, whether they are attempting to uncover money laundering or fraud schemes through anti-money laundering dicta, crack down on corruption or bolster cybersecurity portals.
How do we know this? Well, the US government – yes, the very same one we are trying to impress – released a top 10 list in this area a few years back and, just to make sure no one forgot, an official last month highlighted the tactics again to drive the point home. In short, the message from government investigators is clear: this is required reading.
Assistant Attorney General Leslie Caldwell touched on the 10 ways to create a stronger compliance program May 19 at the 10th Annual Compliance Week conference in Washingotn, D.C., cribbing from a November 2012 Department of Justice Resource Guide to the Foreign Corrupt Practices Act.
That echoing of compliance program points is more than just applicable, however, to preventing corruption, but has crucial, bedrock concepts than can buttress financial crime programs more broadly, says Jason Gardner, AML specialist and attorney who has evaluated a range of issues in anti-money laundering and anti-financial crimes compliance.
Jason Gardner Esq, runs his own consulting firm Global Applied Analytics LLC where he provides AML advice and contracts with various financial institutions to ensure compliance with the BSA Patriot Act. His expertise includes transaction monitoring, KYC review and Risk Assessments for corporate banking products.
Gardner analyzed the newly buffed and re-revealed hallmarks and explained their importance why, again, compliance officers should heed the call anew to go once more into the breach to make their institutions harder to breach by the vast array of threats arrayed against them.
Here are some excerpts from Caldwell’s speech in italics and Gardner’s responses immediately following, with some additional comments from ACFCS editorial staff.
Leslie Caldwell: While companies have for years appropriately adopted a “risk-based” approach to compliance, we have seen that corporations all too often misdirect their focus to the wrong type of risk.
We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself.
The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.
Jason Gardner: Often reactive instead of proactive. Guarding solely against what the last bank or corporation was accused of. As opposed to learning from the mistakes of other banks and looking at what new risks may be posed by the introduction of new products and expanding geographical areas.
LC: Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk.
And, far too often, we have heard companies exclaim in defense that everyone else is doing it – that others in the industry are engaged in the same misconduct. But as you all know, an industry-wide compliance failure is not a defense to knowing and willful criminal activity.
JG: Ignorance of the law is not a defense.
Editor’s note: For many years, when Iran and other countries became blacklisted from dealing with the United States, several large foreign banks, with branches and dollar clearing operations in this country, flouted these changes and chose to do business with designated entities and regimes.
Their sentiment was that other banks are doing it, so why would they get caught. Moreover, how could the US get to them or should tell them how to make money. The result: multi-billion dollar sanctions penalties, compliance staffing overhauls and long and costly remediation engagements.
Here are the general hallmarks themselves of an effective compliance program:
LC: A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies. Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.
JG: This hallmark is often overlooked, and in my opinion is the most important aspect of any compliance program. The tone is set from the top and without a leadership that expressly recognizes and explicitly states the importance of a strong [anti-money laundering (AML)] program; the company is doomed to repeat the mistakes of the past.
In most corporate cultures the focus is on the bottom line. What lines of business bring in money and which ones cost money? Compliance is often not looked at as a value-added business line. The desire to recruit the best individuals in lines of business such as investment banking is high.
However, the set of skills to succeed in compliance [is] often just as hard (if not harder) to find than in investment banking. Individuals with a critical mind, and strong communication are needed to follow breadcrumbs of evidence in linking together transactions among suspicious entities.
Compliance should be viewed as instrumental to the success of a company just as any other line of business. This ethos however must come from the top. If it doesn’t, the company will find itself on the wrong end of an investigation and possibly a large fine with numerous negative consequences. As my mother said, either you pay now and pay a little, or pay later and pay a lot.
LC: We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.
JG: Profits always have been and always will be important. However, a strong moral compass must also be weighed heavily. We have seen profits chosen over compliance repeatedly. The result is always the same. Compliance always wins in the end, and the offending company loses.
LC: Senior executives should be responsible for the implementation and oversight of compliance. Those executives should have authority to report directly to independent monitoring bodies – for example, internal auditors or the board of directors.
JG: As boards have grown and included individuals from multiple backgrounds, individuals with significant compliance backgrounds should be given more consideration for senior roles. Compliance professionals possess skills that can be applied to every line of business and help prevent the company from falling into traps that will cause for loss of monies.
LC: A company’s policies should be clear and in writing and should easily be understood by employees. But having written policies – even those that appear specific and comprehensive “on paper” – is not enough.
JG: The ethos set by the senior management, if true, will trickle down and the more than just words on a paper attitude will be prevalent throughout the organization.
Editor’s note: In enforcement actions and industry conferences, federal regulators and investigators have stressed the importance of a “culture of compliance,” where a tone is set at the top and threads throughout the organization and across borders.
That means that the fears and concerns of compliance staff are not shirked and rebuffed to keep profits flowing, but get the ear of senior management and even the board of directors. That dynamic is vital because, in certain cases, regulators chastised institutions for not listening to compliance, for tarrying in response to examiner requests for program details and for not making improvements quickly enough – leading to higher penalties.
LC: Compliance teams need adequate funding and access to necessary resources. And they must have an appropriate stature within the company.
JG: Most individuals regardless of their profession have a desire to move up in their organization, and be respected among their coworkers (even those in other departments). Many times, compliance professionals have felt as if they are not “real workers” when measured up against the investment bankers, private wealth managers and the like. It’s easier to see money that was brought in, than to see money that was saved. Adequate funding for compliance departments is essential to attract and retain the best in the field.
LC: A company should have an effective process – with sufficient resources – for investigating and documenting allegations of violations.
JG: The process must allow individuals in every department to report possible improper actions. No department should be considered off-limits. Compliance issues can appear in departments ranging from [human resources] to Investment Banking. Employee relationships cross department lines. There should be no manufactured walls preventing compliance professionals from investigating reported violations.
LC: A company periodically should review its compliance policies and practices to keep it up to date with evolving risks and circumstances, including when the company merges with or acquires another company.
In particular, if a US-based entity merges with, acquires or is acquired by a foreign entity, all compliance policies should be reviewed and revised accordingly.
JG: To take this further, the compliance policies and practices should be reviewed when making any significant changes to the company. A significant change includes adding a product line, expanding to a new geographical area and such.
Editor’s note: Mergers and new products are a particularly persnickety area of compliance because of how easily things can fall through the cracks or risks not be adequately addressed at the outset of a new product.
Examiners, compliance officers and consultants have stated that particular attention must be paid to new and legacy systems involved in mergers to ensure they mesh correctly and that customer data – including risks, transaction histories and monitoring alert protocols – are kept intact during the migration to merged, enterprisewide system.
As well, compliance officers should be in meetings with product and business line leaders when new products are being formulated and not when they are about to be released, because at that time, building in mitigation or monitoring strategies might not be feasible or could be more time-consuming and costly.
LC: A company should have an effective system for confidential, internal reporting of compliance violations.
JG: Employees are often the best resources for sniffing out and identifying suspicious behavior. However the belief employees have in the organization can erode away if after reporting violations their reports are not followed up.
Or even worse followed up but quickly disregarded due to the game of internal politics. Senior executives must ensure the internal process is effectively implemented and followed through.
LC: A company should implement mechanisms designed to enforce its policies, including incentivizing compliance and disciplining violations.
JG: This step would be significant in ensuring the company remains compliant. In a perfect world, people would report compliance violations completely freely. And often this does happen. When hiring the right individuals, their moral compass would direct them to do the right things. However incentives definitely help the program along.
LC: A company should sensitize third parties with which it interacts (for example, vendors, agents or consultants) to the company’s expectation that its partners are compliant.
This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies.
JG: As with the other hallmarks, senior management must take the lead. Many times the financial loss of business with another party drives the conversation. Whereas the driving force should be how does this client make us vulnerable.