At the Association of Certified Financial Crime Specialists, it’s vital we keep our finger on the communal compliance pulse of the industry. What criminals, and regulators, are doing affects every component of the program, from customer due diligence to detection and filing systems.
That’s why we talk to a wide range of members and certified professionals at financial institutions large and small to get a better sense of if there are any cross-cutting themes threading the fabric of federal and state regulators. This helps banks war-game and peek into the playbook examiners will be using, an agenda that may not have been articulated to compliance staff.
In an ACFCS query of compliance professionals to better understand the pain points making it harder to their jobs, we found that broader sharing of compliance program structures among a larger universe of institutions, precognitive insight into upcoming exams and more in-depth, case and red-flag based-training are on the wish lists of staffers, but present challenges in implementation.
We also are hearing that in addition to the massive formal fines against large domestic and international banks in recent years – mushrooming from the millions into the billions of dollars – the amount of regulatory scrutiny on compliance programs at most institutions, regardless of size, has hit unprecedented levels.
So in a bid to aid compliance professionals in better adapting, adopting and overcoming these ever increasing array of challenges – some come from the complexity of systems crashing against shrinking budgets, apart from heightened examiner expectations – we queried several compliance officers at large and medium-sized institutions in the US and Canada about their programmatic challenges.
If you would like to chat more about these issues with an ACFCS staff member, feel free to reach out at the email address above.
Here are some edited excerpts of what they had to say:
From a compliance officer at a large bank with operations in the US and Canada
The surprising inflexibility of the risk-based approach:
The risk based approach is being converted into a tool to argue why you should be doing more. We know risk is everywhere and you need to mitigate it, but examiners are always challenging us that we underestimated the risk.
But absent clarity in regulatory guidance as to what they are looking for, it almost boils down to the individual whim of the individual examiner to take issue with what you have done.
Sharing intelligence on what compliance program structures seem to be working:
A key issue for the compliance community is how we can better share intelligence on the proper compliance programs in multiple banks right now that are somehow meeting the changing expectations. It seems somehow there is no incentive for regulators to have reasonable expectations.
I also wish there was something out there to tell me what the regulators were going to do before they do it. I wish there was one thing that examiners would say when you look at these public enforcement actions and formal written agreements, what the regulator really wants you to do.
It can be hard to figure that out, even going line by line and comparing them with other actions, you still can’t even figure it out.
One problem equating to many deficiencies:
It’s also frustrating in exams because regulators find one problem, and say the rest of the program is not good. For instance, if they find one issue, then they say therefore, your controls are no good, therefore, then your risk assessment is no good, therefore your corporate governance is no good, then your policies are no good.
It’s getting to the point that it makes it hard to hire compliance people because that will become the job that nobody wants. The best and brightest minds will be leaving it.
From a compliance officer at a bank in the southern part of the United States
Examiners focusing more on training depth:
Examiners are spending a lot of time making sure people are trained and seeing what we are using. As for what makes my job harder, the main thing is that the regulatory scrutiny we are under is tremendous.
It’s harsh because of our geographic location so close to the Mexican border. That is my No. 1 priority every year, keeping our people trained and current, which is a challenge to do to keep current and stay within our budgets at the same time.
We have also found the need to increase AML training to divisions outside of compliance, such as lending, because we have had examiners ask AML program-related questions to loan officers in those areas to ensure they understand and are doing the proper amount of due diligence and adequately documenting that.
From a compliance officer in Western Europe
The importance of being a compliance diplomat, asking, not telling:
As a compliance officer, you can’t just come in to a bank and start ordering people to give you information and not explain why. They won’t do it and they won’t listen. By explaining the risks, I now have commercial people coming to me with questions on risk and customers. You need to build trust to build programs.
One of the major challenges is when you have a commercial person who has no knowledge about compliance. You want to go deeper about customers or transactions, but they don’t understand your explanations about why the questions are important. They look at me like I am the police.
Making sure you have the right systems in place and tuned correctly is difficult. And if you don’t doing any upgrades or weaving those systems through legacy systems is very hard.
Compliance training needs to encompass other bank functions:
Also, one gap is that compliance officers should have more training in other areas of the bank, so they can know how people in those areas can hide things or appear to give information, without really giving the compliance officer what he or she really needs.
That will help the compliance officer to look deeper, ask better questions and find out more about customers and transactions. That is what I did, so I know the right questions to ask so no department can hide anything.
I wish I could go deeper into the issues, to the human side, such as the reasons behind what we do. I think having more real life cases would give broader importance and context to the job of the compliance officer and get more people outside of AML to buy in. That way they can understand the bigger issues, including what goes on outside the bank and our boundaries.
A second compliance officer for a bank in Canada, with operations in the US
Broad-based training across financial crime spectrum expected:
There is much more of a focus from regulators on training. Normal AML training is just not enough anymore. There is a big push in Canada by examiners to have more training for staff outside of AML compliance, so the coverage is enterprisewide.
The financial crime compliance team is really the second line of defense. The first line is in the branches, with tellers, sales managers and such.
For instance, if you don’t roll out training on politically-exposed persons, bank staff won’t know the risk indicators. We have definitely seen a big increase on that, so much so, it is now part of our ethics learning training you have to validate every year.
Bettering the field is not so much in recuperating losses, but deterring financial crime from the ground up. That would work better than paying big fines and just throwing bodies at the problem. You need to have and hire quality over quantity.
Compliance is more than what’s completed, focus should be on quality:
Overall, one major issue is that business and compliance has become just an emphasis on deliverables and outputs. And just given the amount of volumes and transactions that financial institutions have to manage, it’s the prioritization of outputs over quality.
Those compliance mistakes have a direct correlation to what has happened with the bigger banks. There was more of an emphasis on how much money the bank can make. They also wanted to do only a quick review of clients so not a lot of money is spent on CDD and KYC.
If it’s not done right the first time, it has to be done again:
One of the hardships in some banks is to change the mindset of senior executives and business line managers. As a business, compliance has to have enough staff and resources, but they also have to know what alert outputs are quality outputs.
If the management expectations are not plausible, then you have compliance staff and auditors rushing through customer risk assessments and audits. That is where regulators every year or six months will nab the bank and say you missed this and this.
If we remediate half of the things we did in the beginning, because it wasn’t done right or we didn’t catch a transaction early, then we are not catching anything.
That turns compliance departments into call centers. They are just trying to solve issues all the time with a checklist approach. If that is the case, that is where bad things happen.