With editing and content contributions by Brian Monroe, Director of Content, ACFCS
Financial institutions are expected to establish a strong compliance culture within the organization, but what that exactly means and how it’s set up in practice can be challenging to undertake because of the inherent vagaries of defining parameters to a concept like “culture” in an enterprisewide setting.
That’s because while creating this culture has been a critical focal point in many anti-money laundering (AML) enforcement actions, there is little guidance on the concrete steps to actually take to weave a compliance-focused mindset from tellers to top management and across international borders and multiple regulatory requirements.
But one thing is for sure: the ultimate responsibility to develop the compliance culture rests with the board of directors. The board and senior management need to set the “tone from top,” another ill-defined but loudly buzzing buzzword in financial crime compliance circles, for adherence with applicable laws and establishing what examiners would roundly consider a strong culture of compliance.
This is an issue because while many companies can have advanced transaction monitoring systems and countries overall are under more pressure to have “effective” compliance with financial crime compliance controls, rather than “technical compliance,” having laws on the books, banks can also have excellent written programs and weak implementation.
That means in the work environment, some financial institutions can at times overlook the nuances in crafting a culture of compliance, which would create the wrong impression to regulators of how serious company management and staff take their compliance responsibilities.
While creating a culture of compliance there must be an wholly effective and holistic AML/CFT compliance program focused on identifying and controlling risks. Some key bright line boundaries for this can include:
- Senior management/Board of directors must actively support and recognize the compliance efforts. This could include board-specific, tailored training to prime the board on key issues.
- There should be a line threading between business and compliance, with the understanding that AML risk must not be compromised by revenue interests, or pressure.
- There should be a process in place where relevant information, including current financial crime risks and vulnerabilities should be shared with compliance staff to further AML/CFT efforts.
- Independent Testing of the compliance program is paramount, to test the effectiveness of the compliance program. A weak AML audit function has been cited by regulators globally as that is the main backstop to improve a program before examiners arrive at the door.
- To gauge culture in process, a bank can review how many suspicious activity reports (SARs) or suspicious transaction reports (STRs) are being reported in which areas? A key question: are there any facts being ignored? Could examiners consider that willful blindness?
- Transaction Monitoring and Filtering programs can also emphasize the need for a culture of compliance by including identification of all data sources, validation of the integrity, ensuring the accuracy and quality of data, data extraction and loading processes to ensure a complete and accurate transfer of data. This typically includes the depth and accuracy of the customer risk assessment, which tunes and sensitizes the transaction monitoring system.
- Periodic AML training, including broad spectrum training on fraud, corruption and cyber – this is the concept of convergence. This could also include job specific training related to what that suspicious activities a person at that level of the bank could see.
- A commitment to the realization that a culture of compliance requires continuous vigilance, resources and time to influence widespread change, particularly across large organizations or across borders.
- As regulatory demands continue to grow, companies need to have the resources and technological framework in place to build compliance practices into their everyday workflow, and have metrics to grade individual and overall levels of AML understanding along with measuring changes in practice, including what areas of the bank are better understanding risks and filing more or fewer SARs.
Here are some of the most important pieces to make up what regulators could consider a “culture of compliance,” including:
In any event, there is a general acknowledgment that a company can’t be compliant if it doesn’t fully understand regulators’ expectations.
In today’s constantly evolving regulatory environment – with so many risks to juggle, including program strength, known sectoral vulnerabilities and actual criminal trends – companies need to find new ways to keep up with changing regulations that can expand or constrict depending on guidance or geopolitical events.
As a result, it is extremely important that an organization has the resources in place to keep compliance managers abreast of new developments in multiple jurisdictions, meet rolling deadlines, and understand complex rules in a timely manner allowing them to make more well-informed decisions to better mitigate regulatory risks and ward off informal or formal actions and worst of all, monetary penalties.
That can take the form of vendor databases, dedicated research teams, automated alerts for key financial crime compliance terms and partnerships and memberships with industry compliance associations.
Compliant behavior goes hand in hand with instilling an ethical culture across an organization.
To achieve this, the tone needs to be set from the very top. The means the C-Suite needs to effectively and continuously communicate the expectations, policies and procedures that employees are expected to understand and practice daily.
Senior managers need to be transparent about their own behavior by setting a high standard of ethical conduct that can be filtered down throughout an organization.
This tenet is absolutely vital as top business line managers – the profit producers of the bank – have come under fire in recent years as being foils for compliance controls and some have even actively evading compliance officer inquiries.
In one instance, the pressure to improve business in the case of a large U.S. bank resulted in sales people falsely opening accounts and adding products for customers – and charging them – when the customers never asked for those services, resulting in hefty fines and a top executive stepping down.
Ensuring that employees are thoroughly educated on an organization’s internal policies and external regulations in a regular and influential way is essential. New approaches can include microlearning, a relative new form of training focusing on delivering knowledge in small, specific modules in order to maximize the retention of information.
There is no “one size fits all” approach to compliance education, so companies need to create a customizable framework appealing broadly to the needs and learning styles of different employees at different levels of AML experience, from front line personnel to senior compliance officers, usually with tests or quizzes to granularly gauge retention.
E-Learning programs that leverage interactive, real life use cases, videos with actual investigators and regulators, games and quiz questions that cater to a specific user’s job function, have in many cases proven to be an extremely effective way to reach the current crop of more digital-savvy employees, who often live on their phone and go to YouTube to learn about a given issue – rather than read a report.
A system that offers administrative tracking, reporting and mobile accessibility for users is also beneficial as regulators themselves are under more pressure to prove to their bosses that bank AML teams are learning and improving – so have a heavy focus on not just who in an organization has taken related training sessions, but what were their scores and are the scores improving or falling.
A corporate culture also reflects what managers reward.
By developing suitable compliance incentives, management can demonstrate their commitment to compliant and moral conduct. An employee will be more motivated if there is potential for personal and professional gain in complying with AML rules, processes and controls.
In some U.S. AML enforcement actions, banks under formal orders or remediating extensive monetary penalties have taken the extreme step of tying the annual salaries and bonuses of non-compliance staffers to how responsive they are to AML inquiries and how quickly and completely they help.
How that works in practice: A person can lose out on income if they tarry, or obfuscate, when it comes to complying with AML rules or responding to requests from compliance officers.
Incident Reporting and case Management
Incident reporting and case management – often woven into the transaction monitoring system – is an important aspect of a compliance program in order to ensure a company is able to track and address any misconduct.
Being aware of noncompliance can be a herculean task when it comes to mitigating risk.
This is also a common gap in many compliance programs, borne out in several high-profile AML penalties in the United States and other countries. For instance, in certain instances when banks have had functioning transaction systems creating proper alerts, compliance officers either didn’t act on aberrant activity or where not adequately escalated.
In other cases, banks have had systems troubles where they had to cobble together an AML program from fragmented systems, where the frontline data capturing, AML transaction monitoring and core banking systems are on different platforms – and may not be communicating with each other fully.
Leadership that makes employees feel safe
Given that the true heart of any AML program is the decisions made by alert analysts – and the compliance officers overseeing their work – banks must also realize employees are human, and even those with the best intentions are bound to make errors at some point.
It can take years of advanced training, some say between three and five years, for a compliance analyst to be considered truly effective at their job and able to make difficult decisions based on disparate transactions, jurisdictions and customer types that reach an amorphous threshold dubbed “suspicious.”
To create an atmosphere that will promote growth and loyalty, it’s vital banks try not to zero-in on errors, but rather create an environment where employees know the organization is most interested in their overall success as a fully functioning, accountable and agile compliance program.
That also nudges individuals, and banks, to be more willing to innovate than keep following stagnant processes and old-style thinking that, overall, only catches fractions of a percent of the actual trillions of dollars in illicit cash flowing around the world.
Currently, banks are testing new ways of structuring AML employees, departments and investigators, including using artificial intelligence and machine learning to capture more information in the beginning of a customer relationship, thus getting a more accurate risk assessment, and have more adroit monitoring systems with the ability to create stronger AML alerts that end up as richer intelligence for law enforcement.
Such systems and mantras across an organization also make it more difficult for a coordinated organized criminal group to victimize one back as the institution can more quickly put together the pieces and close suspect accounts or contact investigators – allowing insight and evidence to take down larger illicit actors.
A personalized compliance experience
Employees who are seen and recognized as valued individuals will have a better chance of flourishing, and by extension maintaining the culture of compliance within your organization.
Personalizing risk levels, creating accountability and deepening communal compliance experience will result in a team of employees who are uniquely and smartly equipped to do their jobs.
When employees are competent, let them show it
One thing that banks say they are having a difficult time finding is more extensive, advanced training. Why? Because it is a waste of time and resources when employees are forced to participate in training that is below their compliance understanding and skill level.
Instead, it makes sense for them and for the organization to allow them to test-out of areas that they already have mastered.
Utilize innovative tools that promote maximum retention
If employees are bored, they won’t retain information. Instead, make use of the tools and systems available that will allow your employees to learn, and apply compliance policies like never before in an atmosphere of enrichment, support and innovation.
As in any worthwhile venture, if employees invest their emotions in the mission of compliance – stopping bad guys for the greater good – their job will take on greater importance than a paycheck, but will engage their passion with a renewed sense of purpose. Only by instilling these virtues at every level of an organization can a true “culture of compliance” be realized.
Image Courtesy – http://wlhconsulting.com/solutions/solutions-frameworks/